HashiCorp Developer AI Private beta now available Sign up today
Vault
Vault Home

You are viewing documentation for version v1.16.x. View latest version.

Vault Agent API proxy

Vault Agent's API Proxy functionality allows you to use Vault Agent's API as a proxy for Vault's API.

Note: This functionality will be deprecated in a future release. Please switch to using Vault Proxy for API proxying purposes, instead.

Use Vault Proxy for static secret caching

Static secret caching (KVv1 and KVv2) with API proxy minimizes the number of requests forwarded to Vault. Vault Agent does not support static secret caching with API proxy. We recommend using Vault Proxy for API Proxy related workflows.

Functionality

The listener stanza for Vault Agent configures a listener for Vault Agent. If its role is not set to metrics_only, it will act as a proxy for the Vault server that has been configured in the vault stanza of Vault Agent. This enables access to the Vault API from the Agent API, and can be configured to optionally allow or force the automatic use of the Auto-Auth token for these requests, as described below.

If a listener has been configured alongside a cache stanza, the API Proxy will first attempt to utilize the cache subsystem for qualifying requests, before forwarding the request to Vault. See the caching docs for more information on caching.

Using Auto-Auth token

Vault Agent allows for easy authentication to Vault in a wide variety of environments using Auto-Auth. By setting the use_auto_auth_token (see below) configuration, clients will not be required to provide a Vault token to the requests made to the Agent. When this configuration is set, if the request doesn't already bear a token, then the auto-auth token will be used to forward the request to the Vault server. This configuration will be overridden if the request already has a token attached, in which case, the token present in the request will be used to forward the request to the Vault server.

Forcing Auto-Auth token

Vault Agent can be configured to force the use of the auto-auth token by using the value force for the use_auto_auth_token option. This configuration overrides the default behavior described above in Using Auto-Auth Token, and instead ignores any existing Vault token in the request and instead uses the auto-auth token.

Configuration (api_proxy)

The top level api_proxy block has the following configuration entries:

  • use_auto_auth_token (bool/string: false) - If set, the requests made to Agent without a Vault token will be forwarded to the Vault server with the auto-auth token attached. If the requests already bear a token, this configuration will be overridden and the token in the request will be used to forward the request to the Vault server. If set to "force" Agent will use the auto-auth token, overwriting the attached Vault token if set.

The following two api_proxy options are only useful when making requests to a Vault Enterprise cluster, and are documented as part of its Eventual Consistency page.

Example configuration

Here is an example of a listener configuration alongside api_proxy configuration to force the use of the auto_auth token and enforce consistency.

# Other Vault agent configuration blocks
# ...

api_proxy {
  use_auto_auth_token = "force"
  enforce_consistency = "always"
}

listener "tcp" {
    address = "127.0.0.1:8100"
    tls_disable = true
}