Vault Agent supporting token helper similar to token file auto auth

[trodemaster]

Is your feature request related to a problem? Please describe. Currently, Vault Agent's auto-auth methods do not support using Vault's token helper functionality to retrieve tokens. This limits integration with custom or external token storage mechanisms that are already supported by the Vault CLI via token helpers. Users who rely on token helpers for managing tokens (e.g., storing tokens in a secure location or using a custom retrieval mechanism) cannot leverage this in Vault Agent auto-auth workflows.

Describe the solution you'd like Introduce a new auto-auth method for Vault Agent that uses Vault's token helper functionality to retrieve a Vault token, similar to the existing token file method. This method would:

• Invoke the configured token helper to fetch the Vault token directly.
• Not attempt to auto-renew the token; it simply retrieves the token as provided by the token helper.
• Require configuration values for the Vault address and Vault namespace to ensure the correct context is used when invoking the token helper.

Describe alternatives you've considered

• Using the existing token file auto-auth method, but this does not support the flexibility and security of token helpers (e.g., encrypted storage, hardware-backed helpers, etc.).
• Manually scripting token retrieval and writing to a file, but this is error-prone and less secure than using the built-in token helper interface.

Explain any additional use-cases

• We want to use vault agent on end user laptops to elimiate usage of secrets on disk in .env files

Additional context

• The new auto-auth method should closely mirror the behavior of the token file method, but use the token helper interface for token retrieval.
• This would improve consistency between Vault CLI and Vault Agent, and enable more flexible and secure token management strategies.
• Reference: Vault Token Helper Documentation