Vault Agent and Vault Proxy quick start
What is Vault Agent?
Vault Agent behaves as a client-side daemon to make requests to Vault on behalf of the client application. This includes the authentication to Vault.
Vault clients (human users, applications, etc.) must authenticate with Vault and get a client token to make API requests. Because tokens have time-to-live (TTL), the clients must renew the token's TTL or re-authenticate to Vault based on its TTL. Vault Agent authenticates with Vault and manages the token's lifecycle so that the client application doesn't have to.
In addition, you can inject Consul Template markup into Vault Agent so that secrets can be rendered to files where the client application loads data from.
This eliminates the need to change your application code to invoke the Vault API. Your existing applications can remain Vault-unaware.
Prerequisites
To complete this tutorial, you need to install a Vault binary.
Launch Terminal
This tutorial includes a free interactive command-line lab that lets you follow along on actual cloud infrastructure.
Lab setup
Note
If you do not have access to an HCP Vault Dedicated cluster, visit the Create a Vault Cluster on HCP tutorial.
Launch the HCP Portal and login.
Click Vault in the left navigation pane.
In the Vault clusters pane, click vault-cluster.
Under Cluster URLs, click Public Cluster URL.
In a terminal, set the
VAULT_ADDR
environment variable to the copied address.Return to the Overview page and click Generate token.
Within a few moments, a new token will be generated.
Copy the Admin Token.
Return to the terminal and set the
VAULT_TOKEN
environment variable.Set the
VAULT_NAMESPACE
environment variable toadmin
.The
admin
namespace is the top-level namespace automatically created by HCP Vault. All CLI operations default to use the namespace defined in this environment variable.Log in to HCP Vault Dedicated.
Tip
Vault server is ready and the token value is stored in the
$HOME/.vault-token
file.Enable Key/Value v2 secrets engine at
secret/
.
Create a working directory
Create a directory where you generate test files.
You will read the created secrets using Vault Agent.
Create test data
Create a mock data file.
Create the mock data in the KV v2 secrets engine.
Start a Vault Agent
Start a Vault Agent instance that connects to the Vault server running at
VAULT_ADDR
.
Create the Vault Agent configuration file.
Note
As of Vault 1.13.0, you can use the client token stored in a file (
token_file_path
). This is a convenient way to authenticate the Vault Agent with Vault server during development. For production deployment, use one of the supported auth methods.Start a Vault Agent.
Example output:
At this point, you still need to change your client application to make Vault
requests targeting VAULT_ADDR
using the Vault token stored in the sink
location ($HOME/vault-token-via-agent
).
Next, explore other Vault Agent features.
Modify the Vault Agent configuration
Starting with Vault 1.13.0, you can specify multiple Vault Agent configuration files.
Or, point to a directory with the configuration files.
In this section, you are going to define additional Vault Agent configurations.
Define Vault Agent template
In the following scenario, the client application loads data read from customer.json
.
Press Ctrl + C to stop the running Vault Agent.
Create a
customer.json.tmpl
file.Create a Vault Agent configuration file with a
template
stanza.Start Vault Agent again with the additional configuration applied.
Example output:
Open a new browser or text editor and verify that the
customer.json
file has the secrets retrieved from Vault.Example output:
This should match the data stored in
secret/
.If the template fails, make sure to set the
VAULT_NAMESPACE
variable.
The client application was designed to load data from the customer.json
file.
By leveraging the Vault Agent Template feature, you did not have to make any
code changes to the client application while you manage secrets with Vault.
Vault Agent logs
You can specify the behavior of Vault Agent logging using a command flag, environment variable, or configuration parameters.
Start Vault Agent with the
-log-file
command flag which defines the prefix for the log file.The command generates a log file named
$HOME/vault-test/vault-agent-{timestamp}.log
.Verify the generated log file.
You can open the file to verify its content.
Tip
To see the full list of available parameters, refer to the Vault Agent documentation.
Vault Proxy
Vault Proxy acts as a proxy between Vault and its client applications. See the Vault Agent and Vault Proxy documentation page for more details about feature parity between Vault Agent and Vault Proxy.
Vault Proxy provides auto-auth, caching, and API proxy functionality.
Capability | Vault Agent | Vault Proxy |
---|---|---|
Auto-auth | ✅ | ✅ |
Caching | ✅ | ✅ |
Templating | ✅ | ❌ |
API proxy | Will be deprecated | ✅ |
Run as a Windows Service | ✅ | ❌ |
Process Supervisor | ✅ | ❌ |
The vault
and auto_auth
stanzas in the Vault Proxy and Vault Agent
configurations are identical; however, you must define listener
and
api_proxy
stanzas for Vault Proxy.
Example configuration for Vault Proxy:
Start a Vault Proxy
You can define an API endpoint for the client application to send requests to
rather than VAULT_ADDR
.
Press Ctrl + C to stop the running Vault Agent.
Create a file that defines the
listener
stanza andapi_proxy
stanza.This configuration creates a listener endpoint on the loopback interface
127.0.0.1:8100
. You can add multiplelistener
stanzas. See the Vault Proxy documentation for more information.The
api_proxy
stanza enables theuse_auto_auth_token
parameter. When enabled, proxied requests do not need to set theX-Vault-Token
HTTP header, as the auto-auth token will be used by default.Vault Enterprise 1.16 or later
Set the
cache_static_secrets
parameter in thecache
stanza to true to enable the static secrets caching feature that requires Vault Enterprise 1.16 or later. This enables Vault Proxy to cache static secrets read from the KV v1 and KV v2 secrets engines.Note that the persistent caching feature available in Vault Community Edition is currently supported only in Kubernetes environments and does not cache static secrets.
Start the Vault Proxy.
Vault Proxy is now listening to the proxy addresses
http://127.0.0.1:8100
.Open another command terminal and send an API request to the Vault Proxy.
Read the secrets at
secret/customers/acme
via the proxy address.This example uses jq to process the JSON output for readability.
Output:
Although no client token was provided in the API request (
X-Vault-Token
header unset), a token was automatically attached to the request by the Vault Proxy because theuse_auto_auth_token
parameter was set totrue
in the configuration.
Static secret caching
Vault Enterprise 1.16 or later
To test the Vault Proxy's static secret caching feature, you must be running Vault Enterprise 1.16 or later.
Read the secrets again. This time, Vault Proxy returns the cached secrets.
Use the
--verbose
or-v
option with the cURL command so that you can see more detail.Notice that the
X-Cache
isHIT
.Update the secrets to see what happens.
Read the secrets again via proxy.
The
Age
value changed since the secrets were just updated.Press Ctrl + C to stop the running Vault Proxy.
Self-healing tokens
Auto-auth authenticates with Vault to get a client token, store, and manage the token lifecycle. Vault 1.17 enhanced this auto-auth capability to increase its resiliency so that Vault Agent and Vault Proxy can heal from an invalid token error caused by unexpected incidence (for example, Vault admin revoked the client token used by the Vault Agent).
Test the self-healing capability
Create a script to setup
approle
auth method.This script:
- Creates a policy named "read-only" which allows read and list operations
against paths starts with
secret/
. - Enables
approle
auth method. - Creates a role named "read-only" which has the read-only policy attached. The token for this role has a use limit of 5.
- Retrives the role ID for the "read-only" role and store the value in the
roleID.txt
file. - Retrieves the secret ID and store the value in the
secretID.txt
file.
- Creates a policy named "read-only" which allows read and list operations
against paths starts with
Make the script executable.
Run the script to setup an
approle
auth method.Create a new Vault Proxy configuration which uses
approle
auth method.Start a Vault Proxy.
From another command terminal, read the secrets through the proxy.
The command successfully returns the secrets.
Revoke the token which is stored in the
sink
location.Try to read the secrets again.
The request fails and returns no data.
In the terminal where Vault Proxy is running, check the Vault Proxy logs.
The log indicates
invalid token error
because you revoked the client token. The Vault Agent re-authenticate with Vault to get a new token, and stores it in thesink
location.Try to read the secret. This time, you should received the secrets.
Clean up
Press Ctrl + C to stop the running Vault Agent.
Unset the
VAULT_TOKEN
,VAULT_NAMESPACE
andVAULT_ADDR
environment variables.Delete the
$HOME/vault-test
directory.
Summary
This tutorial demonstrated the basics of Vault Agent. You learned how to configure and run Vault Agent and Vault Proxy.
The use of token_file
in the auto-auth stanza is a convenient way to quickly
start the Vault Agent or Vault Proxy. For a production deployment, use one of
the supported auth methods so that the Vault Agent or Vault Proxy can properly
manage the token's lifecycle.
See the following tutorials for auto-auth examples:
The Vault Agent Template demonstrated that the client application can remain Vault-unaware while Vault manages the secrets.
See the following tutorials to see more template examples: