1--- 2layout: "docs" 3page_title: "Vault Agent Auto-Auth AppRole Method" 4sidebar_title: "AppRole" 5sidebar_current: "docs-agent-autoauth-methods-approle" 6description: |- 7 AppRole Method for Vault Agent Auto-Auth 8--- 9 10# Vault Agent Auto-Auth AppRole Method 11 12The `approle` method reads in a role ID and a secret ID from files and sends 13the values to the [AppRole Auth 14method](https://www.vaultproject.io/docs/auth/approle.html). 15 16The method caches values and it is safe to delete the role ID/secret ID files 17after they have been read. In fact, by default, after reading the secret ID, 18the agent will delete the file. New files or values written at the expected 19locations will be used on next authentication and the new values will be 20cached. 21 22## Configuration 23 24* `role_id_file_path` `(string: required)` - The path to the file with role ID 25 26* `secret_id_file_path` `(string: optional)` - The path to the file with secret 27 ID. 28 If not set, only the `role-id` will be used. \ 29 In that case, the AppRole should have `bind_secret_id` set to `false` otherwise Vault Agent wouldn't be able to login. 30 31* `remove_secret_id_file_after_reading` `(bool: optional, defaults to true)` - 32 This can be set to `false` to disable the default behavior of removing the 33 secret ID file after it's been read. 34 35* `secret_id_response_wrapping_path` `(string: optional)` - If set, the value 36 at `secret_id_file_path` will be expected to be a [Response-Wrapping 37 Token](https://www.vaultproject.io/docs/concepts/response-wrapping.html) 38 containing the output of the secret ID retrieval endpoint for the role (e.g. 39 `auth/approle/role/webservers/secret-id`) and the creation path for the 40 response-wrapping token must match the value set here. 41