Learn how to leverage HashiCorp Vault Agent to automatically authenticate via AppRole and render configuration files with secrets fetched from Vault.
Prerequisites
| Requirement | Description |
|---|
| Vault Server | Running, unsealed, and accessible (default :8200). |
| Vault CLI & Agent | Installed on your local machine. |
| AppRole Policy | A policy (e.g., cloud-policy) defined in Vault. |
1. Enable the AppRole Auth Method
Enable AppRole so Vault Agent can authenticate:
vault auth enable approle
Success! Enabled approle auth method at: approle/
AppRole is a machine-friendly auth method designed for non-interactive workflows.
Learn more: AppRole Auth Method
2. Create an AppRole for the Agent
Define a role with the appropriate policy:
vault write auth/approle/role/agent \
token_policies="cloud-policy"
vault read auth/approle/role/agent
| Key | Value |
|---|
| bind_secret_id | true |
| token_policies | [cloud-policy] |
3. Retrieve Role ID and Secret ID
Fetch the role_id:
vault read -format=json auth/approle/role/agent/role-id
secret_id:
vault write -f auth/approle/role/agent/secret-id
{
"data": {
"role_id": "3ae4b467-c469-6a38-adbe-83e1ab5f1dd0",
"secret_id": "6b74a5ef-d4f5-0690-67f1-c457c1060ac7"
}
}
4. Store Role ID & Secret ID in Files
Create two files in your working directory:
role.txt
3ae4b467-c469-6a38-adbe-83e1ab5f1dd0
6b74a5ef-d4f5-0690-67f1-c457c1060ac7
Ensure these files have restrictive permissions (e.g., chmod 600) to prevent unauthorized access.
Define auto-auth and token sink settings:
auto_auth {
method "approle" {
mount_path = "approle"
config = {
role_id_file_path = "/path/to/role.txt"
secret_id_file_path = "/path/to/secret.txt"
}
}
sink "file" {
config = {
path = "/path/to/sink.txt"
}
}
}
vault {
address = "http://127.0.0.1:8200"
}
mount_path defaults to "approle".- Adjust
address if your Vault server listens on a different host or port.
6. Start Vault Agent
Run the agent with your configuration:
vault agent -config=agent.hcl
[INFO] sink.file: file sink configured: path=/path/to/sink.txt
[INFO] auth.handler: authentication successful, sending token to sinks
[INFO] auth.handler: renewed auth token
cat /path/to/sink.txt
# s.xxxxxxxxxxxxxxxxxxxxxxxx
6.1 Preserve the Secret ID File (Optional)
By default, Vault Agent deletes secret.txt. To retain it, add remove_secret_id_file = false:
auto_auth {
method "approle" {
mount_path = "approle"
config = {
role_id_file_path = "/path/to/role.txt"
secret_id_file_path = "/path/to/secret.txt"
remove_secret_id_file = false
}
}
sink "file" {
config = {
path = "/path/to/sink.txt"
}
}
}
secret.txt file will persist.
7. Templating with Vault Agent
Vault Agent can render templates populated with secrets. Follow these steps:
7.1 Prepare the Template (web.tmpl)
production:
adapter: postgresql
encoding: unicode
database: orders
{{ with secret "kv/apps/webapp" }}
username: "{{ .Data.data.username }}"
password: "{{ .Data.data.password }}"
{{ end }}
7.2 Seed the KV Store
Populate Vault’s KV engine:
vault kv put kv/apps/webapp \
username="administrator" \
password="kfi3ksoi2msij2s"
7.3 Update agent.hcl with a Template Block
Add a template stanza to render web.tmpl to output.yaml:
template {
source = "/path/to/web.tmpl"
destination = "/path/to/output.yaml"
}
agent.hcl snippet:
template {
source = "/path/to/web.tmpl"
destination = "/path/to/output.yaml"
}
vault {
address = "http://127.0.0.1:8200"
}
7.4 Restart Vault Agent & Verify
vault agent -config=agent.hcl
production:
adapter: postgresql
encoding: unicode
database: orders
username: "administrator"
password: "kfi3ksoi2msij2s"
Conclusion
You’ve now automated the following with Vault Agent:
- AppRole-based auto-authentication.
- Securely stored & managed
role_id and secret_id.
- Token persistency with customizable sinks.
- Dynamic templating to inject secrets into configuration files.
Links and References
