consul-template doesn't renew the vault token

[gdwikir]

Hi, Thanks for the amazing workshop!

I'm new in Vault & consul-template. I notice that you set the vault_agent_token_file (https://github.com/sethvargo/vault-kubernetes-workshop/blob/master/k8s/kv-sidecar.yaml#L79) and i saw the official consul-template repo says that if we specify vault_agent_token_file , the consul-template will not try to renew the Vault token (https://github.com/hashicorp/consul-template#configuration-file-format) and it does happen to me. The consul-template doesn't seems to renew the vault token after the lease expired. Is there something I miss?

Here's consul-template log:

2019/06/11 02:58:03.816250 [WARN] vault.read(gcp/test/demo/key/demo-project-viewer): renewer returned (maybe the lease expired)
2019/06/11 02:58:13.219535 [WARN] (view) vault.read(secret/test/data-secret): vault.read(secret/test/data-secret): Error making API request.

URL: GET https://10.x.x.x/v1/secret/test/data-secret
Code: 403. Errors:

* permission denied (retry attempt 1 after "1s")

Here's my CT_LOCAL_CONFIG (basically the same as yours)

vault {
  vault_agent_token_file = "/var/run/secrets/vaultproject.io/.vault-token"

  ssl {
    ca_cert = "/etc/vault/tls/ca.pem"
  }

  retry {
    backoff = "1s"
  }
 }

template {
  contents = <<EOH
    {{- with secret "secret/test/data-secret" -}}
    {{- .Data.message -}}
    {{- end -}}
  EOH
  destination = "/etc/secrets/static.txt"
}
template {
  contents = <<EOH
    {{- with secret "gcp/test/demo/key/demo-project-viewer" -}}
    {{- .Data.private_key_data | base64Decode -}}{{- end -}}
  EOH
  destination = "/etc/secrets/dynamic.json"
}

[jm4c]

Try adding this to the config file renew_token = true

vault {
  vault_agent_token_file = "/var/run/secrets/vaultproject.io/.vault-token"
  renew_token = true
  ssl {
    ca_cert = "/etc/vault/tls/ca.pem"
  }

  retry {
    backoff = "1s"
  }
 }

Just had the same issue and this worked for me

[sethvargo]

As @jm4c noted - make sure you set renew_token = true