Vault agent and Vault proxy Auto-Auth file sink
The file sink writes tokens, optionally response-wrapped and/or encrypted, to
a file. This may be a local file or a file mapped via some other process (NFS,
Gluster, CIFS, etc.).
Once the sink writes the file, it is up to the client to control lifecycle; generally it is best for the client to remove the file as soon as it is seen.
It is also best practice to write the file to a ramdisk, ideally an encrypted
ramdisk, and use appropriate filesystem permissions. The file is currently
written with 0640 permissions as default, but can be overridden with the optional
'mode' setting.
Configuration
path(string: required)- The path to use to write the token filemode(int: optional)- Octal number string representing the bit pattern for the file mode, similar tochmod.owner(int: optional)- The UID to use for the token file. Defaults to the current user ID.group(int: optional)- The GID to use for token file. Defaults to the current group ID.
Note: Configuration options for response-wrapping and encryption for the sink file are located within the options common to all sinks documentation.