aws auth method: the "ec2" type: Aws AutoAuth nonce is not shared between instances or is persisted across restarts

[Mic92]

  config = {
    detsys.vaultAgent.defaultAgentConfig = {
      auto_auth = {
        method = {
          type = "aws";
          config.role = "some-role";
          config.type = "ec2";
          # Currently one needs to hard-code this value because nonce values are not saved across restarts
          # config.nonce = "42";
        };
      };
    };
  };

Vault returns to vault agent a nonce value for aws instances after they have been authenticated.
If this value is not stored and replayed than vault denies access on the next restart: https://www.vaultproject.io/docs/auth/aws#client-nonce

[grahamc]

Good catch. This module doesn't / won't support the ec2 agent auth method. I'd recommend using the "iam" method instead, which is documented as recommended by hashicorp.

[Mic92]

I guess I need to write my own vault integration than to also solve all the other issues.

[grahamc]

I would strongly encourage switching to the iam auth method. And, it would be interesting to use LoadCredentials but since this is a thin wrapper around vault agent, it is probably not going to integrate nicely with LoadCredentials without upstream supporting it.

[Mic92]

I don't want to update my vault roles every time I move services between regions, which is required with iam. In my own vault integration I could maybe at least compute the role names dynamically to make this less painful.