diff --git a/changelog/18101.txt b/changelog/18101.txt
new file mode 100644
index 000000000..97ece748d
--- /dev/null
+++ b/changelog/18101.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+agent: Agent listeners can now be to be the `metrics_only` role, serving only metrics, as part of the listener's new top level `role` option.
+```
diff --git a/command/agent.go b/command/agent.go
index 9c7032c77..91921fc99 100644
--- a/command/agent.go
+++ b/command/agent.go
@@ -700,7 +700,7 @@ func (c *AgentCommand) Run(args []string) int {
 			// Parse 'require_request_header' listener config option, and wrap
 			// the request handler if necessary
 			muxHandler := cacheHandler
-			if lnConfig.RequireRequestHeader {
+			if lnConfig.RequireRequestHeader && ("metrics_only" != lnConfig.Role) {
 				muxHandler = verifyRequestHeader(muxHandler)
 			}
 
@@ -708,10 +708,12 @@ func (c *AgentCommand) Run(args []string) int {
 			mux := http.NewServeMux()
 			quitEnabled := lnConfig.AgentAPI != nil && lnConfig.AgentAPI.EnableQuit
 
-			mux.Handle(consts.AgentPathCacheClear, leaseCache.HandleCacheClear(ctx))
-			mux.Handle(consts.AgentPathQuit, c.handleQuit(quitEnabled))
 			mux.Handle(consts.AgentPathMetrics, c.handleMetrics())
-			mux.Handle("/", muxHandler)
+			if "metrics_only" != lnConfig.Role {
+				mux.Handle(consts.AgentPathCacheClear, leaseCache.HandleCacheClear(ctx))
+				mux.Handle(consts.AgentPathQuit, c.handleQuit(quitEnabled))
+				mux.Handle("/", muxHandler)
+			}
 
 			scheme := "https://"
 			if tlsConf == nil {
diff --git a/command/agent/config/config_test.go b/command/agent/config/config_test.go
index 35a2ff8f1..a005a420b 100644
--- a/command/agent/config/config_test.go
+++ b/command/agent/config/config_test.go
@@ -34,8 +34,15 @@ func TestLoadConfigFile_AgentCache(t *testing.T) {
 					Address:    "127.0.0.1:8300",
 					TLSDisable: true,
 				},
+				{
+					Type:       "tcp",
+					Address:    "127.0.0.1:3000",
+					Role:       "metrics_only",
+					TLSDisable: true,
+				},
 				{
 					Type:        "tcp",
+					Role:        "default",
 					Address:     "127.0.0.1:8400",
 					TLSKeyFile:  "/path/to/cakey.pem",
 					TLSCertFile: "/path/to/cacert.pem",
diff --git a/command/agent/config/test-fixtures/config-cache-embedded-type.hcl b/command/agent/config/test-fixtures/config-cache-embedded-type.hcl
index 3c5615315..b09a978c6 100644
--- a/command/agent/config/test-fixtures/config-cache-embedded-type.hcl
+++ b/command/agent/config/test-fixtures/config-cache-embedded-type.hcl
@@ -46,6 +46,14 @@ listener {
 
 listener {
     type = "tcp"
+    address = "127.0.0.1:3000"
+    tls_disable = true
+    role = "metrics_only"
+}
+
+listener {
+    type = "tcp"
+    role = "default"
     address = "127.0.0.1:8400"
     tls_key_file = "/path/to/cakey.pem"
     tls_cert_file = "/path/to/cacert.pem"
diff --git a/command/agent/config/test-fixtures/config-cache.hcl b/command/agent/config/test-fixtures/config-cache.hcl
index b468e9a07..05f321a95 100644
--- a/command/agent/config/test-fixtures/config-cache.hcl
+++ b/command/agent/config/test-fixtures/config-cache.hcl
@@ -43,7 +43,15 @@ listener "tcp" {
     tls_disable = true
 }
 
+listener {
+    type = "tcp"
+    address = "127.0.0.1:3000"
+    tls_disable = true
+    role = "metrics_only"
+}
+
 listener "tcp" {
+    role = "default"
     address = "127.0.0.1:8400"
     tls_key_file = "/path/to/cakey.pem"
     tls_cert_file = "/path/to/cacert.pem"
diff --git a/internalshared/configutil/config.go b/internalshared/configutil/config.go
index c13c80451..678b91f77 100644
--- a/internalshared/configutil/config.go
+++ b/internalshared/configutil/config.go
@@ -2,7 +2,6 @@ package configutil
 
 import (
 	"fmt"
-	"io/ioutil"
 	"time"
 
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
@@ -47,25 +46,6 @@ type SharedConfig struct {
 	ClusterName string `hcl:"cluster_name"`
 }
 
-// LoadConfigFile loads the configuration from the given file.
-func LoadConfigFile(path string) (*SharedConfig, error) {
-	// Read the file
-	d, err := ioutil.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-	return ParseConfig(string(d))
-}
-
-func LoadConfigKMSes(path string) ([]*KMS, error) {
-	// Read the file
-	d, err := ioutil.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-	return ParseKMSes(string(d))
-}
-
 func ParseConfig(d string) (*SharedConfig, error) {
 	// Parse!
 	obj, err := hcl.Parse(d)
diff --git a/internalshared/configutil/listener.go b/internalshared/configutil/listener.go
index 3f3c59930..ea28dbf19 100644
--- a/internalshared/configutil/listener.go
+++ b/internalshared/configutil/listener.go
@@ -44,6 +44,7 @@ type Listener struct {
 	Type       string
 	Purpose    []string    `hcl:"-"`
 	PurposeRaw interface{} `hcl:"purpose"`
+	Role       string      `hcl:"role"`
 
 	Address                 string        `hcl:"address"`
 	ClusterAddress          string        `hcl:"cluster_address"`
@@ -182,6 +183,13 @@ func ParseListeners(result *SharedConfig, list *ast.ObjectList) error {
 
 				l.PurposeRaw = nil
 			}
+
+			switch l.Role {
+			case "default", "metrics_only", "":
+				result.found(l.Type, l.Type)
+			default:
+				return multierror.Prefix(fmt.Errorf("unsupported listener role %q", l.Role), fmt.Sprintf("listeners.%d:", i))
+			}
 		}
 
 		// Request Parameters
diff --git a/sdk/helper/consts/agent.go b/sdk/helper/consts/agent.go
index 55be844e1..92207e3d8 100644
--- a/sdk/helper/consts/agent.go
+++ b/sdk/helper/consts/agent.go
@@ -4,7 +4,7 @@ package consts
 // endpoint.
 const AgentPathCacheClear = "/agent/v1/cache-clear"
 
-// AgentPathMetrics is the path the the agent will use to expose its internal
+// AgentPathMetrics is the path the agent will use to expose its internal
 // metrics.
 const AgentPathMetrics = "/agent/v1/metrics"
 
diff --git a/website/content/docs/agent/caching/index.mdx b/website/content/docs/agent/caching/index.mdx
index ad8009393..e46fa212f 100644
--- a/website/content/docs/agent/caching/index.mdx
+++ b/website/content/docs/agent/caching/index.mdx
@@ -227,7 +227,9 @@ These are common configuration values that live within the `persist` block:
 There can be one or more `listener` blocks at the top level. These configuration
 values are common to both `tcp` and `unix` listener blocks. Blocks of type
 `tcp` support the standard `tcp` [listener](/docs/configuration/listener/tcp)
-options.
+options. Additionally, the `role` string option is available as part of the top level
+of the `listener` block, which can be configured to `metrics_only` to serve only metrics,
+or the default role, `default`, which serves everything (including metrics).
 
 - `type` `(string: required)` - The type of the listener to use. Valid values
   are `tcp` and `unix`.
@@ -249,7 +251,7 @@ options.
 
 ### Example Configuration
 
-Here is an example of a cache configuration.
+Here is an example of a cache configuration alongside a listener that only serves metrics.
 
 ```hcl
 # Other Vault Agent configuration blocks
@@ -258,6 +260,12 @@ Here is an example of a cache configuration.
 cache {
   use_auto_auth_token = true
 }
+
+listener "tcp" {
+    address = "127.0.0.1:3000"
+    tls_disable = true
+    role = "metrics_only"
+}
 ```
 
 ## Tutorial