Run Vault Agent to Interact with HashiCorp Vault

Vault Agent simplifies the process of authenticating to Vault and retrieving secrets. It is essentially a client daemon that has features including templating, caching, auto-auth, and api proxy. We will be using approle authentication in this Shortcut, but there are a number of other authentication methods that vault-agent supports.

Prerequisites

  1. You need a running Vault cluster. Refer to the Shortcut “Run HashiCorp Vault with Helm” for a refresher on running Vault.

  2. You need the approle auth method enabled in Vault. Refer to the Shortcut “Manage Machine Access to Secrets with AppRole in HashiCorp Vault” for a refresher.

Approle for Vault Agent

  1. Create an approle in Vault to use with vault-agent:

    vault write auth/approle/role/my-agent-role policies="my-agent-policy"

    Make sure you see a success message.

  2. Create the my-agent-policy used in step 1:

    vault policy write my-agent-policy -<<EOF
> path "secret/data/agent-secret"{
>   capabilities = ["read", "update"]
> }
> EOF

    You should see a success message like the following:

    A close-up of a computer code Description automatically generated

  3. Create a secret-id for the my-agent-role approle:

    vault write -f auth/approle/role/my-agent-role/secret-id

    You should receive an output like the following:

  4. Read the role-id for my-agent-role:

    vault read auth/approle/role/my-agent-role/role-id ...

Get Run Vault Agent to Interact with HashiCorp Vault now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial