Is there any caching for Terraform child tokens, or for tokens created through approle/login?

[ilyaaxenov]

Hello. I am using the vault-provider (v0.4.0) to manage approximately 1000 resources for Vault. In ProviderConfig, I use authentication through approle. Its role allows generate tokens with a TTL of 30 minutes.

I've noticed that the number of tokens/leases in my Vault has significantly increased. There are about 12 thousand of them. Then, I added skip_child_token: true to the ProviderConfig. The number of tokens decreased by half. But 5 thousand leases, which are still growing, are also unpleasant. It seems like I should use a static token for ProviderConfig authorization and enable skip_child_token at the same time to avoid cluttering the Vault with an excessive number of leases?

How does it work internally? To me, it seems like the token from approle and the child token for Terraform are recreated every time the Vault provider needs to refresh/view the resources it maintains. Is that the case? Is there a possibility to enable caching for the provider so that it could reuse, for example, child tokens or approle tokens?

[jaylevin]

I am also experiencing the same issue and have the same question.

[m1so]

based on my limited understanding, the provider creates a new Terraform client/CLI invocation for each reconciliation and doesn't use any sort of caching or lease renewal internally

I'd recommend using External Secrets (or Vault Secret Operator) together with Kubernetes auth method and "project" the Vault token into a Kubernetes Secret for the provider to read (for example via /auth/token/lookup-self endpoint). This way you're maintaining or recreating 1-2 leases at most (e.g. have a dedicated role set up for Kubernetes auth method with token TTL of 60 minutes and ESO generated secret that is refreshed every 50 minutes)