Overview :
This article clarifies how Vault agent determines whether a secret or token is renewable or non-renewable and addresses use cases around how renewal behaviour is determined by associated lease rather than the secret type itself (static or dynamic).
Explanation:
Vault Agent templates automatically handle renewing and retrieving secrets and tokens. How this works varies based on the specific type of secret or token involved. Below is a high-level summary of these different behaviors:
- Vault does not determine renewability based on the secret type itself; renewability is determined entirely by the lease associated with the secret (
renewable = trueorfalse). - If the lease associated with secret or the token has the
renewableproperty set astrue, Vault Agent will treat that item as a renewable secret and attempt renewal at the defined interval. - To check this property, run
vault lease lookup lease-idorvault token lookup token-idas per requirement using CLI.
Exception:
When rendering certificates from the PKI secrets engine using Vault Agent:
If
generate_leaseis unset or set tofalse, Vault Agent uses the certificate’svalidTofield to determine the re-fetch interval.If
generate_leaseis set totrue, the certificate follows the non-renewable leased secret behavior.
The same behavior applies to KV version 2 secrets. If the lease is set to true for the secret, the secret is treated as a non-renewable leased secret.
As result:
Vault Agent triggers renewal at two-thirds of the lease TTL, consistent with renewable-secrets behavior.
The
lease_renewal_thresholdparameter in template-global-configurations does not have any effect on renewal interval, whenleaseassociated is marked as renewabletrue.
In summary, Vault Agent’s classification of a secret as renewable or non-renewable is entirely governed by the lease metadata, not by the category of the secret. Therefore, dynamic roles(ex: LDAP and database) are all treated as renewable.
References: