In this tutorial, you’ll learn how to configure HashiCorp Vault Agent for automatic AppRole login and dynamic template rendering. By the end, you’ll have a Vault Agent setup that fetches a token via AppRole and injects secrets into a configuration file.
Prerequisites
A local Vault server running, unsealed, and accessible at http://127.0.0.1:7200.
Vault CLI (vault) installed and authenticated as an operator.
Basic knowledge of Vault’s AppRole auth method and KV secrets engine.
Ensure your Vault server is unsealed and you have the root or equivalent token in VAULT_TOKEN before proceeding.
Enable the AppRole auth method
vault auth enable approle
Create an AppRole named agent with the policy cloud-policy:
vault write auth/approle/role/agent token_policies="cloud-policy"
Verify the role
vault read auth/approle/role/agent
Key Value --- ----- token_policies ["cloud-policy"]
2. Retrieve Role ID & Secret ID
Fetch the Role ID
vault read auth/approle/role/agent/role-id
Generate a Secret ID
vault write -f auth/approle/role/agent/secret-id
Store credentials in files for the agent to consume:
echo "<ROLE_ID>" > role.txt echo "<SECRET_ID>" > secret.txt
Keep secret.txt secure! Anyone with access can authenticate as the AppRole.
3. Create Vault Agent Configuration Save the following as agent.hcl. It tells the agent how to authenticate and where to write its token.
vault { address = "http://127.0.0.1:7200" } auto_auth { method "approle" { config = { role_id_file_path = "./role.txt" secret_id_file_path = "./secret.txt" remove_secret_id_file_after_reading = true } } sink "file" { config = { path = "./sink.txt" } } }
If you prefer to keep the Secret ID after login, set remove_secret_id_file_after_reading = false.
4. Run the Vault Agent Start the agent with your configuration:
vault agent -config=agent.hcl
You should see logs like:
2022-06-28T13:28:44.821-0400 [INFO] sink.file: creating file sink 2022-06-28T13:28:44.843-0400 [INFO] auth.handler: authentication successful, sending token to sinks
Verify the token is written:
5. Enable Templating Stop the agent (Ctrl+C) and append a template block to agent.hcl:
template { source = "./web.tmpl" destination = "./output.yaml" }
Now your full agent.hcl looks like:
vault { address = "http://127.0.0.1:7200" } auto_auth { method "approle" { config = { role_id_file_path = "./role.txt" secret_id_file_path = "./secret.txt" remove_secret_id_file_after_reading = false } } sink "file" { config = { path = "./sink.txt" } } } template { source = "./web.tmpl" destination = "./output.yaml" }
Template File: web.tmpl production : adapter : postgresql encoding : unicode database : orders {{ with secret "kv/apps/webapp" }} username : "{{ .Data.data.username }}" password : "{{ .Data.data.password }}" {{ end }}
6. Populate the KV Store Store sample credentials under kv/apps/webapp:
vault kv put kv/apps/webapp username=administrator password=kfi3ksoi2msij2s
7. Restart the Agent and Verify Rendering Start the agent again:
vault agent -config=agent.hcl
You should see template rendering logs:
2022-06-28T13:14:15.854-0400 [INFO] (runner) rendered "./web.tmpl" => "./output.yaml"
Inspect the generated file:
production : adapter : postgresql encoding : unicode database : orders username : "administrator" password : "kfi3ksoi2msij2s"
Configuration Blocks Overview Block Purpose vault Vault server address auto_auth AppRole login method and token sink sink File sink for writing the Vault token template Source and destination for rendering secrets
Conclusion You’ve successfully:
Enabled the AppRole auth method in Vault
Retrieved Role ID and Secret ID for machine identity
Configured Vault Agent for auto-authentication and token storage
Rendered secrets into a dynamic configuration file using templating
For more details, visit the Vault Agent Documentation .
