HashiCorp Developer AI Private beta now available Sign up today
Vault
Vault Home

You are viewing documentation for version v1.10.x. View latest version.

Vault Agent Persistent Caching

Vault Agent can restore tokens and leases from a persistent cache file created by a previous Vault Agent process. The persistent cache is a BoltDB file that includes tuples encrypted by a generated encryption key. The encrypted tuples include the Vault token used to retrieve secrets, leases for tokens/secrets, and secret values.

Note: Vault Agent Persistent Caching will only restore leased secrets. Secrets that are not renewable, such as KV v2, will not be persisted.

In order to use Vault Agent persistent cache, auto-auth must be used. If the auto-auth token has expired by the time the cache is restored, the cache will be invalidated and secrets will need to be re-fetched from Vault.

If Vault Agent templating is enabled alongside of the persistent cache, Vault Agent will automatically route templating requests through the cache. This ensures template requests are cached and restored properly.

Note Vault Agent persistent cache is currently supported only in a Kubernetes environment.

Vault Agent Persistent Cache Types

Please see the sidebar for available types and their usage/configuration.

Persistent Cache Example Configuration

Here is an example of a persistent cache configuration.

# Other Vault Agent configuration blocks
# ...

cache {
  use_auto_auth_token = true
  persist "kubernetes" {
    path = "/vault/agent-cache"
  }
}