HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for version v1.19.x. View latest version.

Auto-auth sink: File

The file sink writes tokens, optionally response-wrapped and/or encrypted, to a file. This may be a local file or a file mapped via some other process (NFS, Gluster, CIFS, etc.).

Once the sink writes the file, it is up to the client to control lifecycle; generally it is best for the client to remove the file as soon as it is seen.

It is also best practice to write the file to a ramdisk, ideally an encrypted ramdisk, and use appropriate filesystem permissions. The file is currently written with 0640 permissions as default, but can be overridden with the optional 'mode' setting.

Configuration

  • path (string: required) - The path to use to write the token file
  • mode (int: optional) - Octal number string representing the bit pattern for the file mode, similar to chmod.
  • owner (int: optional) - The UID to use for the token file. Defaults to the current user ID.
  • group (int: optional) - The GID to use for token file. Defaults to the current group ID.

Note

Configuration options for response-wrapping and encryption for the sink file are located within the options common to all sinks documentation.

Edit this page on GitHub