HashiCorp Developer AI Private beta now available Sign up today
Vault
Vault Home

You are viewing documentation for version v1.14.x. View latest version.

Vault proxy persistent caching

Vault Proxy can restore tokens and leases from a persistent cache file created by a previous Vault Proxy process. The persistent cache is a BoltDB file that includes tuples encrypted by a generated encryption key. The encrypted tuples include the Vault token used to retrieve secrets, leases for tokens/secrets, and secret values.

Note: Vault Proxy Persistent Caching will only restore leased secrets. Secrets that are not renewable, such as KV v2, will not be persisted.

In order to use Vault Proxy persistent cache, auto-auth must be used. If the auto-auth token has expired by the time the cache is restored, the cache will be invalidated and secrets will need to be re-fetched from Vault.

Note Vault Proxy persistent cache is currently supported only in a Kubernetes environment.

Vault proxy persistent cache types

Please see the sidebar for available types and their usage/configuration.

Persistent cache example configuration

Here is an example of a persistent cache configuration.

# Other Vault proxy configuration blocks
# ...

cache {
  persist "kubernetes" {
    path = "/vault/proxy-cache"
  }
}