Vault
Vault agent and Vault proxy Auto-Auth file sink
The file
sink writes tokens, optionally response-wrapped and/or encrypted, to
a file. This may be a local file or a file mapped via some other process (NFS,
Gluster, CIFS, etc.).
Once the sink writes the file, it is up to the client to control lifecycle; generally it is best for the client to remove the file as soon as it is seen.
It is also best practice to write the file to a ramdisk, ideally an encrypted
ramdisk, and use appropriate filesystem permissions. The file is currently
written with 0640
permissions as default, but can be overridden with the optional
'mode' setting.
Configuration
path
(string: required)
- The path to use to write the token filemode
(int: optional)
- A string containing an octal number representing the bit pattern for the file mode, similar to chmod. Set to0000
to prevent Vault from modifying the file mode. Note: This configuration option is only available in Vault 1.3.0 and above.
Note: Configuration options for response-wrapping and encryption for the sink file are located within the options common to all sinks documentation.