2018-07-25 02:02:27 +00:00
---
2020-01-18 00:18:09 +00:00
layout: docs
page_title: Vault Agent
sidebar_title: Vault Agent
2018-07-25 02:02:27 +00:00
description: |-
Vault Agent is a client-side daemon that can be used to perform some Vault
functionality automatically.
---
# Vault Agent
2019-03-15 16:33:31 +00:00
Vault Agent is a client daemon that provides the following features:
2020-05-07 22:10:49 +00:00
- [Auto-Auth][autoauth] - Automatically authenticate to Vault and manage the token renewal process for locally-retrieved dynamic secrets.
- [Caching][caching] - Allows client-side caching of responses containing newly created tokens and responses containing leased secrets generated off of these newly created tokens.
- [Templating][template] - Allows rendering of user supplied templates by Vault Agent, using the token generated by the Auto-Auth step.
2020-01-18 00:18:09 +00:00
To get help, run:
2018-07-25 02:02:27 +00:00
2020-05-21 17:18:17 +00:00
```shell-session
2018-07-25 02:02:27 +00:00
$ vault agent -h
```
2019-03-15 16:33:31 +00:00
2018-07-25 02:02:27 +00:00
## Auto-Auth
Vault Agent allows for easy authentication to Vault in a wide variety of
2019-03-15 16:33:31 +00:00
environments. Please see the [Auto-Auth docs][autoauth]
2018-07-25 02:02:27 +00:00
for information.
Auto-Auth functionality takes place within an `auto_auth` configuration stanza.
2019-03-15 16:33:31 +00:00
## Caching
2019-08-29 19:44:31 +00:00
Vault Agent allows client-side caching of responses containing newly created tokens
2019-03-15 16:33:31 +00:00
and responses containing leased secrets generated off of these newly created tokens.
Please see the [Caching docs][caching] for information.
2018-07-25 02:02:27 +00:00
## Configuration
2018-07-30 14:37:04 +00:00
These are the currently-available general configuration option:
2018-07-25 02:02:27 +00:00
2020-05-07 22:10:49 +00:00
- `vault` <code>([vault][vault]: <optional\>)</code> - Specifies the remote Vault server the Agent connects to.
2019-03-15 16:33:31 +00:00
2020-05-07 22:10:49 +00:00
- `auto_auth` <code>([auto_auth][autoauth]: <optional\>)</code> - Specifies the method and other options used for Auto-Auth functionality.
2019-03-15 16:33:31 +00:00
2020-05-07 22:10:49 +00:00
- `cache` <code>([cache][caching]: <optional\>)</code> - Specifies options used for Caching functionality.
2019-03-15 16:33:31 +00:00
2020-05-07 22:10:49 +00:00
- `listener` <code>([listener][listener]: <optional\>)</code> - Specifies the addresses and ports on which the Agent will respond to requests.
2019-10-17 14:08:59 +00:00
2018-07-25 02:02:27 +00:00
- `pid_file` `(string: "")` - Path to the file in which the agent's Process ID
2018-07-30 14:37:04 +00:00
(PID) should be stored
- `exit_after_auth` `(bool: false)` - If set to `true`, the agent will exit
with code `0` after a single successful auth, where success means that a
token was retrieved and all sinks successfully wrote it
2018-07-25 02:02:27 +00:00
2020-05-07 22:10:49 +00:00
- `template` <code>([template][template]: <optional\>)</code> - Specifies options used for templating Vault secrets to files.
Vault Agent Template (#7652)
* Vault Agent Template: parse templates (#7540)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* Update command/agent/config/config.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* return the decode error instead of swallowing it
* Update command/agent/config/config_test.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* go mod tidy
* change error checking style
* Add agent template doc
* TemplateServer: render secrets with Consul Template (#7621)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* add template package
* WIP: add runner
* fix panic, actually copy templates, etc
* rework how the config.Vault is created and enable reading from the environment
* this was supposed to be a part of the prior commit
* move/add methods to testhelpers for converting some values to pointers
* use new methods in testhelpers
* add an unblock channel to block agent until a template has been rendered
* add note
* unblock if there are no templates
* cleanups
* go mod tidy
* remove dead code
* simple test to starT
* add simple, empty templates test
* Update package doc, error logs, and add missing close() on channel
* update code comment to be clear what I'm referring to
* have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only
* Update command/agent.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* update with test
* Add README and doc.go to the command/agent directory (#7503)
* Add README and doc.go to the command/agent directory
* Add link to website
* address feedback for agent.go
* updated with feedback from Calvin
* Rework template.Server to export the unblock channel, and remove it from the NewServer function
* apply feedback from Nick
* fix/restructure rendering test
* Add pointerutil package for converting types to their pointers
* Remove pointer helper methods; use sdk/helper/pointerutil instead
* update newRunnerConfig to use pointerutil and empty strings
* only wait for unblock if template server is initialized
* drain the token channel in this test
* conditionally send on channel
2019-10-18 21:21:46 +00:00
2019-03-15 16:33:31 +00:00
### vault Stanza
There can at most be one top level `vault` block and it has the following
configuration entries:
2020-05-09 19:52:13 +00:00
- `address` `(string: <optional>)` - The address of the Vault server. This should
2019-03-15 16:33:31 +00:00
be a complete URL such as `https://127.0.0.1:8200`. This value can be
overridden by setting the `VAULT_ADDR` environment variable.
2020-05-09 19:52:13 +00:00
- `ca_cert` `(string: <optional>)` - Path on the local disk to a single PEM-encoded
2019-03-15 16:33:31 +00:00
CA certificate to verify the Vault server's SSL certificate. This value can
be overridden by setting the `VAULT_CACERT` environment variable.
2020-05-09 19:52:13 +00:00
- `ca_path` `(string: <optional>)` - Path on the local disk to a directory of
2019-03-15 16:33:31 +00:00
PEM-encoded CA certificates to verify the Vault server's SSL certificate.
This value can be overridden by setting the `VAULT_CAPATH` environment
variable.
2020-05-09 19:52:13 +00:00
- `client_cert` `(string: <optional>)` - Path on the local disk to a single
2019-03-15 16:33:31 +00:00
PEM-encoded CA certificate to use for TLS authentication to the Vault server.
This value can be overridden by setting the `VAULT_CLIENT_CERT` environment
variable.
2020-05-09 19:52:13 +00:00
- `client_key` `(string: <optional>)` - Path on the local disk to a single
2019-03-15 16:33:31 +00:00
PEM-encoded private key matching the client certificate from `client_cert`.
This value can be overridden by setting the `VAULT_CLIENT_KEY` environment
variable.
2020-05-09 19:52:13 +00:00
- `tls_skip_verify` `(string: <optional>)` - Disable verification of TLS
2019-03-15 16:33:31 +00:00
certificates. Using this option is highly discouraged as it decreases the
security of data transmissions to and from the Vault server. This value can
be overridden by setting the `VAULT_SKIP_VERIFY` environment variable.
2020-05-09 19:52:13 +00:00
- `tls_server_name` `(string: <optional>)` - Name to use as the SNI host when
2019-10-29 13:11:01 +00:00
connecting via TLS. This value can be overridden by setting the
`VAULT_TLS_SERVER_NAME` environment variable.
2019-10-17 14:08:59 +00:00
### listener Stanza
2020-05-15 11:51:52 +00:00
Agent supports one or more [listener][listener_main] stanzas. In addition to
2019-10-17 14:08:59 +00:00
the standard listener configuration, an Agent's listener configuration also
supports an additional optional entry:
2020-05-07 22:10:49 +00:00
- `require_request_header` `(bool: false)` - Require that all incoming HTTP
2019-10-17 14:08:59 +00:00
requests on this listener must have an `X-Vault-Request: true` header entry.
2019-11-11 21:27:40 +00:00
Using this option offers an additional layer of protection from Server Side
2020-01-18 00:18:09 +00:00
Request Forgery attacks. Requests on the listener that do not have the proper
`X-Vault-Request` header will fail, with a HTTP response status code of `412: Precondition Failed`.
2019-10-17 14:08:59 +00:00
2018-07-25 02:02:27 +00:00
## Example Configuration
An example configuration, with very contrived values, follows:
```python
pid_file = "./pidfile"
2019-03-15 16:33:31 +00:00
vault {
address = "https://127.0.0.1:8200"
}
2018-07-25 02:02:27 +00:00
auto_auth {
method "aws" {
mount_path = "auth/aws-subaccount"
config = {
2019-01-24 12:25:03 +00:00
type = "iam"
2018-07-25 02:02:27 +00:00
role = "foobar"
}
}
sink "file" {
config = {
path = "/tmp/file-foo"
}
}
sink "file" {
2019-08-29 19:44:31 +00:00
wrap_ttl = "5m"
2018-07-25 02:02:27 +00:00
aad_env_var = "TEST_AAD_ENV"
dh_type = "curve25519"
dh_path = "/tmp/file-foo-dhpath2"
config = {
path = "/tmp/file-bar"
}
}
}
2019-03-15 16:33:31 +00:00
cache {
use_auto_auth_token = true
2019-03-20 16:42:31 +00:00
}
2019-03-15 16:33:31 +00:00
2019-03-20 16:42:31 +00:00
listener "unix" {
address = "/path/to/socket"
tls_disable = true
}
2019-03-15 16:33:31 +00:00
2019-03-20 16:42:31 +00:00
listener "tcp" {
address = "127.0.0.1:8100"
tls_disable = true
2019-03-15 16:33:31 +00:00
}
Vault Agent Template (#7652)
* Vault Agent Template: parse templates (#7540)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* Update command/agent/config/config.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* return the decode error instead of swallowing it
* Update command/agent/config/config_test.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* go mod tidy
* change error checking style
* Add agent template doc
* TemplateServer: render secrets with Consul Template (#7621)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* add template package
* WIP: add runner
* fix panic, actually copy templates, etc
* rework how the config.Vault is created and enable reading from the environment
* this was supposed to be a part of the prior commit
* move/add methods to testhelpers for converting some values to pointers
* use new methods in testhelpers
* add an unblock channel to block agent until a template has been rendered
* add note
* unblock if there are no templates
* cleanups
* go mod tidy
* remove dead code
* simple test to starT
* add simple, empty templates test
* Update package doc, error logs, and add missing close() on channel
* update code comment to be clear what I'm referring to
* have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only
* Update command/agent.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* update with test
* Add README and doc.go to the command/agent directory (#7503)
* Add README and doc.go to the command/agent directory
* Add link to website
* address feedback for agent.go
* updated with feedback from Calvin
* Rework template.Server to export the unblock channel, and remove it from the NewServer function
* apply feedback from Nick
* fix/restructure rendering test
* Add pointerutil package for converting types to their pointers
* Remove pointer helper methods; use sdk/helper/pointerutil instead
* update newRunnerConfig to use pointerutil and empty strings
* only wait for unblock if template server is initialized
* drain the token channel in this test
* conditionally send on channel
2019-10-18 21:21:46 +00:00
template {
source = "/etc/vault/server.key.ctmpl"
destination = "/etc/vault/server.key"
}
template {
source = "/etc/vault/server.crt.ctmpl"
destination = "/etc/vault/server.crt"
}
2018-07-25 02:02:27 +00:00
```
2019-03-15 16:33:31 +00:00
2020-01-22 20:05:41 +00:00
[vault]: /docs/agent#vault-stanza
[autoauth]: /docs/agent/autoauth
[caching]: /docs/agent/caching
[template]: /docs/agent/template
[listener]: /docs/agent#listener-stanza
[listener_main]: /docs/configuration/listener/tcp