HashiCorp Certified: Vault Associate Certification
Vault Agent
Demo Vault Agent
Learn how to leverage HashiCorp Vault Agent to automatically authenticate via AppRole and render configuration files with secrets fetched from Vault.
Prerequisites
| Requirement | Description |
|---|---|
| Vault Server | Running, unsealed, and accessible (default :8200). |
| Vault CLI & Agent | Installed on your local machine. |
| AppRole Policy | A policy (e.g., cloud-policy) defined in Vault. |
1. Enable the AppRole Auth Method
Enable AppRole so Vault Agent can authenticate:
vault auth enable approle
Expected output:
Success! Enabled approle auth method at: approle/
Note
AppRole is a machine-friendly auth method designed for non-interactive workflows.
Learn more: AppRole Auth Method
2. Create an AppRole for the Agent
Define a role with the appropriate policy:
vault write auth/approle/role/agent \
token_policies="cloud-policy"
Verify the role settings:
vault read auth/approle/role/agent
Sample output:
| Key | Value |
|---|---|
| bind_secret_id | true |
| token_policies | [cloud-policy] |
3. Retrieve Role ID and Secret ID
Fetch the role_id:
vault read -format=json auth/approle/role/agent/role-id
Generate a one-time secret_id:
vault write -f auth/approle/role/agent/secret-id
Example JSON response:
{
"data": {
"role_id": "3ae4b467-c469-6a38-adbe-83e1ab5f1dd0",
"secret_id": "6b74a5ef-d4f5-0690-67f1-c457c1060ac7"
}
}
4. Store Role ID & Secret ID in Files
Create two files in your working directory:
role.txt
3ae4b467-c469-6a38-adbe-83e1ab5f1dd0
secret.txt
6b74a5ef-d4f5-0690-67f1-c457c1060ac7
Warning
Ensure these files have restrictive permissions (e.g., chmod 600) to prevent unauthorized access.
5. Configure Vault Agent (agent.hcl)
Define auto-auth and token sink settings:
auto_auth {
method "approle" {
mount_path = "approle"
config = {
role_id_file_path = "/path/to/role.txt"
secret_id_file_path = "/path/to/secret.txt"
}
}
sink "file" {
config = {
path = "/path/to/sink.txt"
}
}
}
vault {
address = "http://127.0.0.1:8200"
}
Note
mount_pathdefaults to"approle".- Adjust
addressif your Vault server listens on a different host or port.
6. Start Vault Agent
Run the agent with your configuration:
vault agent -config=agent.hcl
You should see logs indicating successful authentication and token writing:
[INFO] sink.file: file sink configured: path=/path/to/sink.txt
[INFO] auth.handler: authentication successful, sending token to sinks
[INFO] auth.handler: renewed auth token
Verify the token:
cat /path/to/sink.txt
# s.xxxxxxxxxxxxxxxxxxxxxxxx
6.1 Preserve the Secret ID File (Optional)
By default, Vault Agent deletes secret.txt. To retain it, add remove_secret_id_file = false:
auto_auth {
method "approle" {
mount_path = "approle"
config = {
role_id_file_path = "/path/to/role.txt"
secret_id_file_path = "/path/to/secret.txt"
remove_secret_id_file = false
}
}
sink "file" {
config = {
path = "/path/to/sink.txt"
}
}
}
Restart Vault Agent. The secret.txt file will persist.
7. Templating with Vault Agent
Vault Agent can render templates populated with secrets. Follow these steps:
7.1 Prepare the Template (web.tmpl)
production:
adapter: postgresql
encoding: unicode
database: orders
{{ with secret "kv/apps/webapp" }}
username: "{{ .Data.data.username }}"
password: "{{ .Data.data.password }}"
{{ end }}
7.2 Seed the KV Store
Populate Vault’s KV engine:
vault kv put kv/apps/webapp \
username="administrator" \
password="kfi3ksoi2msij2s"
7.3 Update agent.hcl with a Template Block
Add a template stanza to render web.tmpl to output.yaml:
template {
source = "/path/to/web.tmpl"
destination = "/path/to/output.yaml"
}
Full agent.hcl snippet:
template {
source = "/path/to/web.tmpl"
destination = "/path/to/output.yaml"
}
vault {
address = "http://127.0.0.1:8200"
}
7.4 Restart Vault Agent & Verify
vault agent -config=agent.hcl
Check the rendered file:
cat /path/to/output.yaml
Expected content:
production:
adapter: postgresql
encoding: unicode
database: orders
username: "administrator"
password: "kfi3ksoi2msij2s"
Conclusion
You’ve now automated the following with Vault Agent:
- AppRole-based auto-authentication.
- Securely stored & managed
role_idandsecret_id. - Token persistency with customizable sinks.
- Dynamic templating to inject secrets into configuration files.
Links and References
Watch Video
Watch video content