Vault agent does not re-authenticate as soon as it receives a new JWT token with auto-auth

[edevil]

In the vault agent documentation we can read that:

The jwt method reads in a JWT from a file and sends it to the JWT Auth method. Since JWTs often have limited lifetime, it constantly watches for a new JWT to be written, and when found it will immediately ingress this value, delete the file, and use the new JWT to perform a reauthentication.

However, that's not the behaviour implemented since #5615, we now have to set an undocumented flag in order to obtain the behaviour described. That wouldn't be a big issue, the flag could be added to the documentation, but the comment on top of the flag is a bit worrying:

NOTE: This is unsupported outside of testing and may disappear at any time.

Since the documented behaviour makes sense, we should use the JWT immediately, I ask for this flag not be removed in the future and documented properly.

[pmmukh]

Hi @edevil ! Thanks for submitting this issue! I do agree that the documentation is probably a bit confusing and refers to the behavior prior to the PR you linked, and I'll keep this issue open till we get around to updating the docs. However, I don't think you should be using undocumented flags in your code, as the comment notes, this is a flag we use to facilitate testing, and not one that our users should be required to configure, as it typically does not add a lot of value and as noted in this old issue #5522, used to sometimes cause very frequent token regenerations.
If you do have a specific use case where reauthentication is necessary whenever a new JWT is created, would be happy to chat about that!

[pmmukh]

I've removed the comment around immediate jwt auto-auth reauthentication from the docs, to reflect the current behavior. Closing this issue out as I don't think any further action is required at this time, if that seems wrong please feel free to reopen it!

[edevil]

Hello @pmmukh.

Our use case is that we use auto-auth with JWT tokens. These JWT tokens have 60s of validity, and are written by an external component to the path vault agent is expecting every hour plus some splay. When vault agent uses the JWT to authenticate it obtains a session token that needs to be renewed every hour and has a lifetime of 8 hours.

If vault agent only reauthenticates when the session token lifetime expires, it's highly unlikely that the JWT it has loaded is still valid, so it will fail to login.

We also don't want to have to synchronize the external process because we need to add some splay to prevent all agents from trying to authenticate at the same time.

[pmmukh]

Hi @edevil ! Thank you for sharing your use case, it makes sense to us and we're currently discussing what the best way to achieve this would be, without reverting to the previous method that ran into issues ( i.e using the enableReauthOnNewCredentials flag ) . We'll get back to you once we have agreement on a way forward, in the meantime will reopen this issue.

[heatherezell]

Hi folks! Is this still an issue in newer versions of Vault? Please let me know so I can bubble it up accordingly. Thanks!

[szechuen]

Yep looking at https://github.com/hashicorp/vault/blob/v1.16.0-rc3/command/agentproxyshared/auth/auth.go, I believe enableReauthOnNewCredentials is still necessary to enable the behavior of re-authenticating immediately after receiving a new JWT.

[heatherezell]

Yep looking at v1.16.0-rc3/command/agentproxyshared/auth/auth.go, I believe enableReauthOnNewCredentials is still necessary to enable the behavior of re-authenticating immediately after receiving a new JWT.

Thank you for the quick response! I'll update the issue accordingly. :)