Implement Secret Caching Using Vault Agent

Vault Agent’s secret caching feature provides the capability of storing frequently accessed secrets locally on machines. This helps reduce the load on the Vault server and improve performance.

Prerequisites

You need the following:

A running Vault cluster: Refer to the Shortcut “Run HashiCorp Vault with Helm” for a refresher on running Vault.
A running vault-agent: Refer to the Shortcut “Run Vault Agent to Interact with HashiCorp Vault” for a refresher on running vault-agent with approle auth.

Enable Caching

On your client machine, update the vault-agent config file with the following:

# vault-agent.hcl
pid_file = "./pidfile"
log_level = "debug"

auto_auth {
  method "approle" {
    config = {
      role_id_file_path = "/etc/shortcuts/role-id"
      secret_id_file_path = "/etc/shortcuts/secret-id"
      remove_secret_id_file_after_reading = false
    }
  }
  
  sink "file" {
    config = {
      path = "/etc/shortcuts/token"
    }
  }
}

cache {
  use_auto_auth_token = true
}

listener "tcp" {
  address = "127.0.0.1:8100"
  tls_disable = true
}

vault {
  address = "http://127.0.0.1:8200"
}

template {
  source      = "/etc/shortcuts/my-secret.ctmpl"
  destination = "/etc/shortcuts/secrets.txt"
}

In the preceding config file, note the cache block that enables secret caching.

Run vault-agent with the updated config:

vault agent -config=/etc/vault-agent.hcl -log-level=debug

You should see log messages like the following:

2024-07-26T16:38:38.385-0500 ...

Get Implement Secret Caching Using Vault Agent now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Implement Secret Caching Using Vault Agent

Prerequisites

Enable Caching

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly