Vault Agent Auto Auth and Token Sink

Legacy applications often lack built-in support for Vault authentication. By deploying a Vault Agent alongside each application server, you can offload authentication, token renewal, and secure token storage to the Agent. The application simply reads a local “sink” file to obtain a valid Vault token and perform secret operations.

The image illustrates a process where a legacy application uses a Vault Agent to authenticate with a Vault system. It includes a certification badge for a Vault Certified Operations Professional.

Legacy Application Auto-Auth Workflow

Vault Agent authenticates to Vault using a machine-oriented auth method (e.g., AppRole, Kubernetes).
Vault returns a token, which the Agent writes to a local sink file.
The legacy application reads the token from the sink and calls the Vault API for secret operations (read secrets, encrypt/decrypt).

The image illustrates a process flow for "Legacy Applications – Auto-Auth," showing how a legacy application interacts with a Vault API for authentication and token retrieval. It includes a diagram with labeled steps and a Vault certification badge.

The Vault Agent also tracks token TTL and automatically renews the token before expiration, ensuring the application always has a valid credential.

The image is a diagram illustrating the auto-authentication process for legacy applications using a Vault API, involving a Vault Agent for token management.

How Auto-Auth Works

Vault Agent’s auto-auth feature is configured in a single HCL file. It authenticates using the specified method, writes the returned token to a flat file sink, and then handles reauthentication and renewal automatically.

The image is a slide explaining the Vault Agent's auto-authentication process, detailing how it uses a predefined method to obtain and store a token, which applications can use to access the Vault API. It includes a certification badge and a cartoon character illustration.

Supported Auth Methods

The Vault Agent supports all machine-oriented auth methods:

Auth Method	Use Case
AliCloud	Vault on Alibaba Cloud
AWS	IAM roles, EC2, ECS
Azure	Managed identities, service principals
Certificate	TLS certificate authentication
Cloud Foundry	CF platform integration
GCP	GCE metadata, service accounts
JWT	Generic JWT validation
Kerberos	Enterprise Kerberos realms
Kubernetes	ServiceAccount-based authentication

The image is a presentation slide about Vault Agent's auto authentication methods, listing various machine-oriented auth methods like AliCloud, AWS, Azure, and Kubernetes. It also features a Vault certification badge and a cartoon character at the bottom.

Note

For detailed configuration parameters (required and optional), see the Vault Agent Auto-Auth documentation.

Example: AppRole Auto-Auth Configuration

Below is a minimal HCL configuration for AppRole authentication, writing the token to a file sink:

auto_auth {
  method "approle" {
    mount_path = "auth/approle"
    config = {
      role_id_file_path   = "/etc/vault/role_id"
      secret_id_file_path = "/etc/vault/secret_id"
    }
  }
}

sink "file" {
  config = {
    path = "/etc/vault/token.txt"
  }
}

vault {
  address = "http://<cluster_IP>:8200"
}

Sink Configuration

Vault Agent currently supports only the file sink type. Common parameters:

type (always file)
path (location for the token file)
mode (file permissions, default 0640)
wrap_ttl (optional response-wrapping TTL)

The image is a slide titled "Vault Agent - Sink," explaining that "file" is the only supported method for storing the auto-auth token, with configuration parameters like type, path, mode, and wrap_ttl.

Response Wrapping for Enhanced Security

To protect tokens in transit or at the host, Vault offers a response-wrapping feature. You can apply wrapping at either the auth method or the sink.

1. Wrap at the Auth Method

When you set wrap_ttl under the auth method, Vault returns a single-use wrapped token reference. This prevents eavesdropping on the actual token but means the Agent cannot renew it.

auto_auth {
  method "kubernetes" {
    mount_path = "auth/kubernetes"
    wrap_ttl   = "5m"         # wrap at auth method
    config = {
      role = "example-role"
    }
  }
}

vault {
  address = "http://<cluster_IP>:8200"
}

The image illustrates a process of response wrapping at the authentication method, involving an application, a Vault agent, and a token. It includes a diagram showing the flow of authentication and token handling, with a Vault certification badge in the corner.

The image illustrates the process of response wrapping at the authentication method, showing how a Vault Agent interacts with an application to protect against MITM attacks by returning a response-wrapped token. It highlights the lack of token renewal capability.

Warning

Response wrapping at the auth method protects against MITM but prevents token renewal.

2. Wrap at the Sink

By setting wrap_ttl under the sink stanza, the Agent unwraps the Vault response and rewraps it for the application. The Agent can still renew the token, but the token travels in cleartext between Vault and the Agent.

auto_auth {
  method "kubernetes" {
    mount_path = "auth/kubernetes"
    config = {
      role = "example-role"
    }
  }
}

sink "file" {
  wrap_ttl = "5m"            # wrap at sink
  config = {
    path = "/etc/vault/token"
  }
}

vault {
  address = "http://<cluster_IP>:8200"
}

The image illustrates a process of response wrapping at the sink, involving an application, a Vault agent, and token management, with a note that it does not protect against MITM attacks.

Comparison of Wrapping Options

The image is a comparison chart of two methods for response-wrapping tokens: "Response Wrapped by the Auth Method" and "Response Wrapped by the Sink," highlighting their pros and cons. It includes a Vault certification badge and a cartoon character at the bottom.

Option	Pro	Con
Wrapped by Auth Method	Protects against network interception	Agent cannot renew the token
Wrapped by Sink	Agent can renew and manage the token	Token is sent in cleartext to the Agent

Conclusion

Vault Agent’s Auto-Auth and Token Sink features simplify secret injection for legacy applications by centralizing authentication, renewal, and local storage of Vault tokens. Response wrapping further enhances security according to your threat model.

Links and References

Watch Video

Watch video content