»Vault Agent Auto-Auth File Sink
The file
sink writes tokens, optionally response-wrapped and/or encrypted, to
a file. This may be a local file or a file mapped via some other process (NFS,
Gluster, CIFS, etc.).
Once the sink writes the file, it is up to the client to control lifecycle; generally it is best for the client to remove the file as soon as it is seen.
It is also best practice to write the file to a ramdisk, ideally an encrypted
ramdisk, and use appropriate filesystem permissions. The file is currently
written with 0640
permissions as default, but can be overridden with the optional
'mode' setting.
»Configuration
-
path
(string: required)
- The path to use to write the token file -
mode
(int: optional)
- A string containing an octal number representing the bit pattern for the file mode, similar to chmod. Set to0000
to prevent Vault from modifying the file mode. Note: This configuration option is only available in Vault 1.3.0 and above.