thanks for the PR @ctrox !

What are the consequences of not re-using the Transport?

Hard to say what the initial intention was, but my best guess is that it was being reused to inherit the IdleConnTimeout timeout set here. But in general I think it is a bad idea, since the call to Vaults NewClient is initializing the transport and potentially headers and other things that are set there could be leaked to Googles IAM API.

@ctrox sorry for the delay.

There was a change introduced few months ago that attempted to not reuse the http client, because headers could have been re-used between calls

#23

If I understand your change correctly, this addresses similar problem, but on a different level of a request, where certs attached to a request could be reused between calls. Is this correct?

No worries!

Yes exactly, the change in #23 makes sure the whole http.Client is not reused but still reused the base transport (Base: hc.Transport,), which contains the cert store and resulted in my failure as my connection to Vault has a modified cert store, trusting some internal CA. So this broke subsequent requests to the IAM API as it reused that cert store. I hope this clears it up.