HashiCorp Certified: Vault Operations Professional 2022
Configure Vault Agent
Section Overview Configure Vault Agent
The HashiCorp Vault Agent is a lightweight client-side daemon that automates authentication, token renewal, and configuration templating. By offloading these responsibilities from your application, you eliminate hardcoded credentials and simplify secret management workflows.
In this section, we'll explore two primary topics:
- Authenticate and synchronize tokens
- Render dynamic templates
These built-in features of the Vault Agent—auto-auth, token synchronization, and templating—work together to streamline Vault integration.
Prerequisites
- Vault Server v1.2+ installed and accessible
- Supported auto-auth method configured (e.g., Kubernetes, AWS, AppRole)
vaultCLI and Vault Agent binary available in your PATH
Vault Agent Features at a Glance
| Feature | Description | Benefit |
|---|---|---|
| Auto-Authentication | Automatically authenticates using methods like Kubernetes, AWS, or AppRole. | Removes manual login steps on startup. |
| Token Synchronization | Periodically renews the Vault token before it expires. | Ensures uninterrupted secret access. |
| Templating | Renders templates into configuration files or environment variables. | Injects dynamic secrets into your application. |
Ready to get started? Let’s dive into secure auto-auth and token synchronization.
1. Authenticate and Synchronize Tokens
Vault Agent’s auto-auth feature handles the initial login. Once authenticated, token synchronization keeps your session alive by renewing the token automatically.
Auto-auth:
- Supported methods: Kubernetes, AWS, AppRole
- Configuration file snippet:
auto_auth { method "approle" { mount_path = "auth/approle" config = { role_id_file_path = "/path/to/role_id" secret_id_file_path = "/path/to/secret_id" } } sink "file" { config = { path = "/tmp/vault-token" } } }
Token synchronization:
cache { use_auto_auth_token = true } listener "tcp" { address = "127.0.0.1:8200" tls_disable = true } vault { address = "https://vault.example.com:8200" }
Warning
Ensure the Vault Agent configuration file (agent.hcl) has proper file permissions to prevent unauthorized users from reading sensitive settings.
2. Render Dynamic Templates
The Vault Agent template engine uses HCL or Go templates to inject secrets directly into files or environment variables:
template {
source = "/etc/vault-agent/templates/config.ctmpl"
destination = "/etc/myapp/config.json"
command = "systemctl restart myapp"
}
Example config.ctmpl:
{
"db_username": "{{ with secret "database/creds/app" }}{{ .Data.username }}{{ end }}",
"db_password": "{{ with secret "database/creds/app" }}{{ .Data.password }}{{ end }}"
}
References
Watch Video
Watch video content