Why Use Vault Agent?
- Securely inject secrets into applications that cannot reach Vault directly
- Automate authentication, token renewal, and secret caching
- Render configuration files at startup using Vault data
Vault Agent supports multiple authentication methods (like AppRole and Kubernetes) and can wrap responses to protect tokens in transit.
Vault Agent Features at a Glance
| Feature | Description |
|---|---|
| Automatic Authentication & Renewal | Authenticates to Vault (e.g., AppRole, Kubernetes) and renews tokens automatically. |
| Secure Token Storage & Delivery | Stores tokens in a configured sink (file, memory) and optionally wraps them. |
| Local Secret Caching | Caches fetched secrets to minimize Vault API calls and reduce latency. |
| Templating | Renders configuration files by pulling secrets from Vault into templates. |
1. Automatic Authentication and Renewal
Vault Agent can authenticate using various methods. Below is an exampleauto_auth block for the AppRole method:
method: Defines the auth method type and its configuration.sink: Specifies where the resulting token is stored for the application.
2. Secure Token Storage and Delivery
After authentication, Vault Agent stores its token in a sink of your choice:Always set restrictive file permissions (
mode = 0600 or stricter) on token sinks to prevent unauthorized access.3. Local Secret Caching
To reduce Vault API calls and improve performance, Vault Agent can cache secrets locally. Configure caching like this:When
use_auto_auth_token is enabled, cached entries are automatically authenticated and renewed.4. Templating
Vault Agent’s templating feature fetches secrets and renders them into static files before your application starts:config.ctmpl, leverage the Vault template syntax: