I inject the role ID and secret ID of Hashicorp vault using Jenkins during the build stage of my app docker image.
Then, the vault agent read the role ID and secret ID connect to vault and deliver secrets to my app with vault agent templates.
Does vault agent generate new secret ID after TTL is expired, or should I use a Jenkins job to inject new secret ID periodically with Ansible.

I am using Ansible to deploy the app and couldn’t figure out a secure way to pass the secret ID to the Hashicorp vault agent at run time, the container does not start without the secret ID being available.

My Jenkinsfile:

                stage('vault') {
                steps {
                        dir ("./vault"){
        withCredentials([string(credentialsId: 'vault_django_role_id', variable: 'role_id'), string(credentialsId: 'vault_django_secret_id', variable: 'secret_id')]) {
                sh 'echo $role_id > django-role_id'
                sh 'echo $secret_id > django-secret_id'
                          }
                          sh 'docker build -t crns-vault:latest .'
                    }
                }
        }

I run the following commands in my vault server

data base secret

vault write postgres/config/crns 
    plugin_name="postgresql-database-plugin" 
    allowed_roles="django" 
    connection_url="postgresql://{{username}}:{{password}}@192.168.5.6:5432/crns" 
    username="admincrns" 
    password="crns@123"

vault write postgres/creds/django 
  db_name="crns" 
  creation_statements=CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT all ON ALL TABLES IN SCHEMA public TO "{{name}}"; 
  default_ttl="30s" 
  max_ttl="24h"

my approle command:

vault write auth/approle/role/django token_policies="django"

vault read auth/approle/role/django/role-id

vault write -f auth/approle/role/django/secret-id

my vault agent config:

pid_file = "./pidfile"

auto_auth {
  method {
    type = "approle"

    config = {
      role_id_file_path = "/vault-agent/django-role_id"
      secret_id_file_path = "/vault-agent/django-secret_id"
      remove_secret_id_file_after_reading = false
    }
  }

  sink {
    type = "file"
    config = {
      path = "/vault-agent/token"
    }
  }
}

template {
  source = "/vault-agent/secrets.tpl"
  destination = "/usr/share/django/secrets/.env"
}

cache {
  use_auto_auth_token = true
}

listener "tcp" {
    address = "0.0.0.0:8200"
    tls_disable = true
}

secrets.tpl :

{{ with secret "postgres/creds/django" -}}

DB_USER={{ .Data.username }}

DB_PASSWORD={{ .Data.password }}

{{- end }}

{{ with secret "kv/django/static" -}}

DB_ENGINE={{ .Data.data.DB_ENGINE }}

DB_DATABASE={{ .Data.data.DB_DATABASE }}

DB_HOST={{ .Data.data.DB_HOST }}

DB_PORT={{ .Data.data.DB_PORT }}

{{- end }}

I’m a newbie with vault but as I understand secret ID should be dynamic
does vault agent take care of that
or should I do that manually with a periodic job that will run Ansible ones a day or something

please note if something is not recommended in my set up.