open-vault/website/source/docs/agent/index.html.md
Jeff Mitchell a6d0ae5890
Add exit-after-auth functionality to agent (#5013)
This allows it to authenticate once, then exit once all sinks have
reported success. Useful for things like an init container vs. a
sidecard container.

Also adds command-level testing of it.
2018-07-30 10:37:04 -04:00

1.7 KiB

layout page_title sidebar_current description
docs Vault Agent docs-agent Vault Agent is a client-side daemon that can be used to perform some Vault functionality automatically.

Vault Agent

Vault Agent is a client daemon that can perform useful tasks.

To get help, run:

$ vault agent -h

Auto-Auth

Vault Agent allows for easy authentication to Vault in a wide variety of environments. Please see the Auto-Auth docs for information.

Auto-Auth functionality takes place within an auto_auth configuration stanza.

Configuration

These are the currently-available general configuration option:

  • pid_file (string: "") - Path to the file in which the agent's Process ID (PID) should be stored

  • exit_after_auth (bool: false) - If set to true, the agent will exit with code 0 after a single successful auth, where success means that a token was retrieved and all sinks successfully wrote it

Example Configuration

An example configuration, with very contrived values, follows:

pid_file = "./pidfile"

auto_auth {
        method "aws" {
                mount_path = "auth/aws-subaccount"
                config = {
                        role = "foobar"
                }
        }

        sink "file" {
                config = {
                        path = "/tmp/file-foo"
                }
        }

        sink "file" {
                wrap_ttl = "5m" 
                aad_env_var = "TEST_AAD_ENV"
                dh_type = "curve25519"
                dh_path = "/tmp/file-foo-dhpath2"
                config = {
                        path = "/tmp/file-bar"
                }
        }
}