open-vault/website/content/docs/agent/autoauth/methods/jwt.mdx
tdsacilowski 887e77c2ae
Agent JWT auto auth remove_jwt_after_reading config option (#11969)
Add a new config option for Vault Agent's JWT auto auth
`remove_jwt_after_reading`, which defaults to true. Can stop
Agent from attempting to delete the file, which is useful in k8s
where the service account JWT is mounted as a read-only file
and so any attempt to delete it generates spammy error logs.

When leaving the JWT file in place, the read period for new
tokens is 1 minute instead of 500ms to reflect the assumption
that there will always be a file there, so finding a file does not
provide any signal that it needs to be re-read. Kubernetes
has a minimum TTL of 10 minutes for tokens, so a period of
1 minute gives Agent plenty of time to detect new tokens,
without leaving it too unresponsive. We may want to add a
config option to override these default periods in the future.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-07-25 07:42:09 -06:00

21 lines
577 B
Plaintext

---
layout: docs
page_title: Vault Agent Auto-Auth JWT Method
description: JWT Method for Vault Agent Auto-Auth
---
# Vault Agent Auto-Auth JWT Method
The `jwt` method reads in a JWT from a file and sends it to the [JWT Auth
method](/docs/auth/jwt).
## Configuration
- `path` `(string: required)` - The path to the JWT file
- `role` `(string: required)` - The role to authenticate against on Vault
- `remove_jwt_after_reading` `(bool: optional, defaults to true)` -
This can be set to `false` to disable the default behavior of removing the
JWT after it's been read.