HashiCorp Developer AI Private beta now available Sign up today
Vault
Vault Home

agent generate-config

Generates a simple Vault Agent configuration file from the given parameters.

Currently, the only supported configuration type is env-template, which helps you generate a configuration file with environment variable templates for running Vault Agent in process supervisor mode.

For every specified secret -path, the command will attempt to generate one or multiple env_template entries based on the JSON key(s) stored in the specified secret. If the secret -path ends with /*, the command will attempt to recurse through the secrets tree rooted at the given path, generating env_template entries for each encountered secret. Currently, only kv-v1 and kv-v2 paths are supported.

The command specified in the -exec option will be used to generate an exec entry, which will tell Vault Agent which child process to run.

In addition to the env_template entries, the command generates an auto_auth section with token_file authentication method. While this method is very convenient for local testing, it should NOT be used in production. In a production environment, please use any other Auto-Auth method instead.

By default, the file will be generated in the local directory as agent.hcl unless a path is specified as an argument.

Example

Before generating a configuration file, let's insert a secret foo:

$ vault kv put -mount=secret foo user="admin" password="s3cr3t"

Generate an agent configuration file which will reference secret/foo:

$ vault agent generate-config \
         -type="env-template" \
         -exec="./my-app arg1 arg2" \
         -namespace="my/ns/" \
         -path="secret/foo" \
         my-config.hcl

Expected output:

Successfully generated "my-config.hcl" configuration file!
Warning: the generated file uses 'token_file' authentication method, which is not suitable for production environments.

This will produce my-config.hcl file in the current directory with contents similar to the following:

auto_auth {

  method {
    type = "token_file"

    config {
      token_file_path = "/Users/avean/.vault-token"
    }
  }
}

template_config {
  static_secret_render_interval = "5m"
  exit_on_retry_failure         = true
  max_connections_per_host      = 10
}

vault {
  address = "http://localhost:8200"
}

env_template "FOO_PASSWORD" {
  contents             = "{{ with secret \"secret/data/foo\" }}{{ .Data.data.password }}{{ end }}"
  error_on_missing_key = true
}
env_template "FOO_USER" {
  contents             = "{{ with secret \"secret/data/foo\" }}{{ .Data.data.user }}{{ end }}"
  error_on_missing_key = true
}

exec {
  command                   = ["./my-app", "arg1", "arg2"]
  restart_on_secret_changes = "always"
  restart_stop_signal       = "SIGTERM"
}

Usage

The following flags are available in addition to the standard set of flags included in all commands.

  • type (string: <required>) - The type of configuration file to generate; currently, only env-template is supported.

  • path (string: "") - Path to a kv-v1 or kv-v2 secret (e.g. secret/data/foo, kv-v2/my-app/*); multiple secrets and tail * wildcards are allowed.

  • -exec (string: "env") - The command to execute in agent process supervisor mode.

Tutorial

Refer to the Vault Agent - secrets as environment variables tutorial for an end-to-end example.

Edit this page on GitHub