Vault secrets TTL values ignored and therefore rendering too often

[EtienneBruines]

Consul Template version

consul-template v0.39.1 (cc8f954)

Configuration

vault {
        address = "https://my-awesome-vault-server:8200"
        vault_agent_token_file = "/tmp/test-token"
        unwrap_token = false
        renew_token = false
}
template {
  destination = "/tmp/my-test-output"
  contents = <<EOH
{{- with secret "identity/oidc/token/my-test-role" -}}
{{ .Data | toJSON }}
{{ end }}
  EOH
}

This produces a file like this:

{"client_id":"my-test-id","token":"-my-secret-token-","ttl":86400}

Command

consul-template -config=my-config.hcl

Debug output

The relevant parts:

2024-07-29T13:45:34.451Z [DEBUG] (runner) diffing and updating dependencies
2024-07-29T13:45:34.451Z [DEBUG] (runner) watching 1 dependencies
2024-07-29T13:45:34.451Z [TRACE] (view) vault.read(identity/oidc/token/my-test-role) starting fetch
2024-07-29T13:50:09.120Z [TRACE] vault.read(identity/oidc/token/my-test-role): GET /v1/identity/oidc/token/my-test-role
2024-07-29T13:50:09.138Z [TRACE] vault.read(identity/oidc/token/my-test-role): non-renewable secret, set sleep for 4m25.295077421s

Expected behavior

What should have happened?

The token should not be renewed every 5 minutes, but respect the TTL of the token (at least somewhat). Anything after 50% of TTL sounds reasonable, but every 5 minutes for a 24h TTL is not desired.

Actual behavior

What actually happened?

The token refreshed after only 5 minutes.

Steps to reproduce

1. Setup and configure a Vault server
2. Generate a new identity key vault write --force identity/oidc/key/my-test-key
3. Generate a new role that uses that key vault write identity/oidc/role/my-test-role key=my-test-key ttl=24h client_id=my-test-id template="{}"
4. Now use consul-template to get a token for that (see config above).