vault icon indicating copy to clipboard operation
vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

agent/auto-auth: add exit_on_err configurable

Open jasonodonnell opened this issue 2 years ago • 2 comments

When Agent's auto-auth encounters a problem it will retry indefinitely, regardless of the error. This configurable allows users to specify if Vault should exit on auto-auth error, similar to exit_on_err in the caching engine: https://www.vaultproject.io/docs/agent/caching#exit_on_err.

At the moment this will exit on any error, but I'm open to only exiting on some errors (such as 400 errors).

jasonodonnell avatar Sep 09 '22 19:09 jasonodonnell

What's the motivation/use case here? And can you clarify in the docs that this applies not just to initial auth, but also any re-auth that occurs once renewal is no longer possible, either due to a renewal failure or the token TTL being reached?

ncabatoff avatar Sep 09 '22 19:09 ncabatoff

What's the motivation/use case here? And can you clarify in the docs that this applies not just to initial auth, but also any re-auth that occurs once renewal is no longer possible, either due to a renewal failure or the token TTL being reached?

The motivation here is that auto-auth will continually try to auth indefinitely, even if there's a misconfiguration (role doesn't exist) or the Vault server isn't online. I will update the doc with more information as well, good call out.

jasonodonnell avatar Sep 09 '22 19:09 jasonodonnell

@ncabatoff Updated the doc. Thanks for the suggestion!

jasonodonnell avatar Sep 15 '22 15:09 jasonodonnell