Agent: Sinks change the owner / group of the file but the owner / group can't be specified

[grahamc]

Is your feature request related to a problem? Please describe.

Given a config like this:

{
  "auto_auth": {
    "sink": [
      {
        "config": {
          "mode": 256,
          "path": "/run/keys/my-token"
        },
        "type": "file"
      }
    ]
  }
}

Note the 256 is to work around #9404.

The /run/keys/my-token file is deleted and recreated with the owner / group running the Vault agent. This is different from the templating support, which will preserve the owner and group of the existing file.

Describe the solution you'd like

I would like to specify the owner and group of the sink file, or, have the sink preserve the ownership.

Describe alternatives you've considered

Running vault login in a loop to create the file instead.

[heatherezell]

Thanks for this, and for linking the existing issue, too. I'll get some eyes on it. :)

[aram535]

Adding a subscriber to this. The owner/group/perms of the sink file should be settable.

[ch0wm3in]

Agree, having huge issues with this.

[jplindquist]

I was following along with this, and see there are options for owner and group now in 1.18 from #27123, but I am curious if it's possible to do this without UID or GID in cases where we'd need the sink file owned by a user/group that don't have static IDs, or are managed by other package installations

Example:
The jenkins package has a preinstall to create the jenkins user and group, but a uid/gid is not specified, it's provided by the system, and therefore isn't necessarily the same across all systems

rpm -q jenkins --scripts
preinstall scriptlet (using /bin/sh):
/usr/bin/getent group jenkins &>/dev/null || /usr/sbin/groupadd -r jenkins &>/dev/null
# SUSE version had -o here, but in Fedora -o isn't allowed without -u
/usr/bin/getent passwd jenkins &>/dev/null || /usr/sbin/useradd -g jenkins -s /bin/false -r -c "Jenkins Automation Server" \
	-d "/var/lib/jenkins" jenkins &>/dev/null