Vault
Vault agent and Vault proxy Auto-Auth file sink
The file
sink writes tokens, optionally response-wrapped and/or encrypted, to
a file. This may be a local file or a file mapped via some other process (NFS,
Gluster, CIFS, etc.).
Once the sink writes the file, it is up to the client to control lifecycle; generally it is best for the client to remove the file as soon as it is seen.
It is also best practice to write the file to a ramdisk, ideally an encrypted
ramdisk, and use appropriate filesystem permissions. The file is currently
written with 0640
permissions as default, but can be overridden with the optional
'mode' setting.
Configuration
path
(string: required)
- The path to use to write the token filemode
(int: optional)
- Octal number string representing the bit pattern for the file mode, similar tochmod
.owner
(int: optional)
- The UID to use for the token file. Defaults to the current user ID.group
(int: optional)
- The GID to use for token file. Defaults to the current group ID.
Note: Configuration options for response-wrapping and encryption for the sink file are located within the options common to all sinks documentation.