887e77c2ae
Add a new config option for Vault Agent's JWT auto auth `remove_jwt_after_reading`, which defaults to true. Can stop Agent from attempting to delete the file, which is useful in k8s where the service account JWT is mounted as a read-only file and so any attempt to delete it generates spammy error logs. When leaving the JWT file in place, the read period for new tokens is 1 minute instead of 500ms to reflect the assumption that there will always be a file there, so finding a file does not provide any signal that it needs to be re-read. Kubernetes has a minimum TTL of 10 minutes for tokens, so a period of 1 minute gives Agent plenty of time to detect new tokens, without leaving it too unresponsive. We may want to add a config option to override these default periods in the future. Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
21 lines
577 B
Plaintext
21 lines
577 B
Plaintext
---
|
|
layout: docs
|
|
page_title: Vault Agent Auto-Auth JWT Method
|
|
description: JWT Method for Vault Agent Auto-Auth
|
|
---
|
|
|
|
# Vault Agent Auto-Auth JWT Method
|
|
|
|
The `jwt` method reads in a JWT from a file and sends it to the [JWT Auth
|
|
method](/docs/auth/jwt).
|
|
|
|
## Configuration
|
|
|
|
- `path` `(string: required)` - The path to the JWT file
|
|
|
|
- `role` `(string: required)` - The role to authenticate against on Vault
|
|
|
|
- `remove_jwt_after_reading` `(bool: optional, defaults to true)` -
|
|
This can be set to `false` to disable the default behavior of removing the
|
|
JWT after it's been read.
|