2018-07-25 02:02:27 +00:00
---
layout: "docs"
page_title: "Vault Agent"
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
sidebar_title: "Vault Agent"
2018-07-25 02:02:27 +00:00
sidebar_current: "docs-agent"
description: |-
Vault Agent is a client-side daemon that can be used to perform some Vault
functionality automatically.
---
# Vault Agent
2019-03-15 16:33:31 +00:00
Vault Agent is a client daemon that provides the following features:
- < tt > [Auto-Auth][autoauth]</ tt > - Automatically authenticate to Vault and manage the token renewal process for locally-retrieved dynamic secrets.
- < tt > [Caching][caching]</ tt > - Allows client-side caching of responses containing newly created tokens and responses containing leased secrets generated off of these newly created tokens.
2018-07-25 02:02:27 +00:00
To get help, run:
```text
$ vault agent -h
```
2019-03-15 16:33:31 +00:00
2018-07-25 02:02:27 +00:00
## Auto-Auth
Vault Agent allows for easy authentication to Vault in a wide variety of
2019-03-15 16:33:31 +00:00
environments. Please see the [Auto-Auth docs][autoauth]
2018-07-25 02:02:27 +00:00
for information.
Auto-Auth functionality takes place within an `auto_auth` configuration stanza.
2019-03-15 16:33:31 +00:00
## Caching
Vault Agent allows client-side caching of responses containing newly created tokens
and responses containing leased secrets generated off of these newly created tokens.
Please see the [Caching docs][caching] for information.
2018-07-25 02:02:27 +00:00
## Configuration
2018-07-30 14:37:04 +00:00
These are the currently-available general configuration option:
2018-07-25 02:02:27 +00:00
2019-03-15 16:33:31 +00:00
- `vault` < tt > ([vault][vault]: \<optional\>)</ tt > - Specifies the remote Vault server the Agent connects to.
- `auto-auth` < tt > ([auto-auth][autoauth]: \<optional\>)</ tt > - Specifies the method and other options used for Auto-Auth functionality.
2019-03-20 16:42:31 +00:00
- `cache` < tt > ([cache][caching]: \<optional\>)</ tt > - Specifies options used for Caching functionality.
2019-03-15 16:33:31 +00:00
2018-07-25 02:02:27 +00:00
- `pid_file` `(string: "")` - Path to the file in which the agent's Process ID
2018-07-30 14:37:04 +00:00
(PID) should be stored
- `exit_after_auth` `(bool: false)` - If set to `true` , the agent will exit
with code `0` after a single successful auth, where success means that a
token was retrieved and all sinks successfully wrote it
2018-07-25 02:02:27 +00:00
2019-03-15 16:33:31 +00:00
### vault Stanza
There can at most be one top level `vault` block and it has the following
configuration entries:
- `address (string: optional)` - The address of the Vault server. This should
be a complete URL such as `https://127.0.0.1:8200` . This value can be
overridden by setting the `VAULT_ADDR` environment variable.
- `ca_cert (string: optional)` - Path on the local disk to a single PEM-encoded
CA certificate to verify the Vault server's SSL certificate. This value can
be overridden by setting the `VAULT_CACERT` environment variable.
- `ca_path (string: optional)` - Path on the local disk to a directory of
PEM-encoded CA certificates to verify the Vault server's SSL certificate.
This value can be overridden by setting the `VAULT_CAPATH` environment
variable.
- `client_cert (string: option)` - Path on the local disk to a single
PEM-encoded CA certificate to use for TLS authentication to the Vault server.
This value can be overridden by setting the `VAULT_CLIENT_CERT` environment
variable.
- `client_key (string: option)` - Path on the local disk to a single
PEM-encoded private key matching the client certificate from `client_cert` .
This value can be overridden by setting the `VAULT_CLIENT_KEY` environment
variable.
- `tls_skip_verify (string: optional)` - Disable verification of TLS
certificates. Using this option is highly discouraged as it decreases the
security of data transmissions to and from the Vault server. This value can
be overridden by setting the `VAULT_SKIP_VERIFY` environment variable.
2018-07-25 02:02:27 +00:00
## Example Configuration
An example configuration, with very contrived values, follows:
```python
pid_file = "./pidfile"
2019-03-15 16:33:31 +00:00
vault {
address = "https://127.0.0.1:8200"
}
2018-07-25 02:02:27 +00:00
auto_auth {
method "aws" {
mount_path = "auth/aws-subaccount"
config = {
2019-01-24 12:25:03 +00:00
type = "iam"
2018-07-25 02:02:27 +00:00
role = "foobar"
}
}
sink "file" {
config = {
path = "/tmp/file-foo"
}
}
sink "file" {
wrap_ttl = "5m"
aad_env_var = "TEST_AAD_ENV"
dh_type = "curve25519"
dh_path = "/tmp/file-foo-dhpath2"
config = {
path = "/tmp/file-bar"
}
}
}
2019-03-15 16:33:31 +00:00
cache {
use_auto_auth_token = true
2019-03-20 16:42:31 +00:00
}
2019-03-15 16:33:31 +00:00
2019-03-20 16:42:31 +00:00
listener "unix" {
address = "/path/to/socket"
tls_disable = true
}
2019-03-15 16:33:31 +00:00
2019-03-20 16:42:31 +00:00
listener "tcp" {
address = "127.0.0.1:8100"
tls_disable = true
2019-03-15 16:33:31 +00:00
}
2018-07-25 02:02:27 +00:00
```
2019-03-15 16:33:31 +00:00
[vault]: /docs/agent/index.html#vault-stanza
[autoauth]: /docs/agent/autoauth/index.html
[caching]: /docs/agent/caching/index.html
