From 61561953cc437aad3298b6a1e6367b319eaaf843 Mon Sep 17 00:00:00 2001 From: VioletHynes Date: Fri, 20 Jan 2023 15:54:31 -0500 Subject: [PATCH 1/6] VAULT-12564 Docs for token file auth method --- .../docs/agent/autoauth/methods/approle.mdx | 2 +- .../agent/autoauth/methods/token_file.mdx | 65 +++++++++++++++++++ 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 website/content/docs/agent/autoauth/methods/token_file.mdx diff --git a/website/content/docs/agent/autoauth/methods/approle.mdx b/website/content/docs/agent/autoauth/methods/approle.mdx index 3f81242d7885..3371c139d959 100644 --- a/website/content/docs/agent/autoauth/methods/approle.mdx +++ b/website/content/docs/agent/autoauth/methods/approle.mdx @@ -77,7 +77,7 @@ auto_auth { } -cache { +api_proxy { use_auto_auth_token = true } diff --git a/website/content/docs/agent/autoauth/methods/token_file.mdx b/website/content/docs/agent/autoauth/methods/token_file.mdx new file mode 100644 index 000000000000..8dc85c63f675 --- /dev/null +++ b/website/content/docs/agent/autoauth/methods/token_file.mdx @@ -0,0 +1,65 @@ +--- +layout: docs +page_title: Vault Agent Auto-Auth Token File Method +description: Token File Method for Vault Agent Auto-Auth +--- + +# Vault Agent Auto-Auth Token File Method + +The `token_file` method reads in an existing, valid Vault token from a file, and uses that +token in lieu of authenticating itself. While it's a first class auto-auth method for all intents +and purposes, it naturally doesn't authenticate itself, as it requires a token from elsewhere. Like +other auto-auth methods, Agent will attempt to renew the token, as appropriate. + +This auto-auth method is especially useful when testing Vault Agent without needing to set up +any authentication methods in Vault. For long-running Agent processes, we'd recommend another +auto-auth method, such that Agent is issuing its own authentication requests to Vault. + +## Configuration + +- `token_file_path` `(string: required)` - The path to the file with the token inside. This token cannot be a wrapping token. + +- `remove_token_file_after_reading` `(bool: optional, defaults to false)` - If set to true, +Vault Agent will delete the token file after it has been read. + +## Example Configuration + +An example configuration, using the `token_file` method to enable [auto-auth](/docs/agent/autoauth), follows: + +```hcl +pid_file = "./pidfile" + +vault { + address = "https://127.0.0.1:8200" +} + +auto_auth { + method { + type = "token_file" + + config = { + token_file_path = "~/.vault-token" + } + } +} + + +cache { + use_auto_auth_token = true +} + +listener "tcp" { + address = "127.0.0.1:8100" + tls_disable = true +} + +template { + source = "/etc/vault/server.key.ctmpl" + destination = "/etc/vault/server.key" +} + +template { + source = "/etc/vault/server.crt.ctmpl" + destination = "/etc/vault/server.crt" +} +``` From a702e91e6829d0d1b4bc7579fda036e593604779 Mon Sep 17 00:00:00 2001 From: VioletHynes Date: Fri, 20 Jan 2023 15:56:01 -0500 Subject: [PATCH 2/6] VAULT-12564 fix typo --- website/content/docs/agent/autoauth/methods/token_file.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/agent/autoauth/methods/token_file.mdx b/website/content/docs/agent/autoauth/methods/token_file.mdx index 8dc85c63f675..cf6b562ecaf0 100644 --- a/website/content/docs/agent/autoauth/methods/token_file.mdx +++ b/website/content/docs/agent/autoauth/methods/token_file.mdx @@ -44,7 +44,7 @@ auto_auth { } -cache { +api_proxy { use_auto_auth_token = true } From 7d4e77f44ac0e5c162c4b24b3be39081e9724476 Mon Sep 17 00:00:00 2001 From: VioletHynes Date: Fri, 20 Jan 2023 16:05:27 -0500 Subject: [PATCH 3/6] VAULT-12564 nav data --- website/data/docs-nav-data.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index ebc46f1624c6..83765ce0e23b 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -901,6 +901,10 @@ { "title": "Kubernetes", "path": "agent/autoauth/methods/kubernetes" + }, + { + "title": "Token File", + "path": "agent/autoauth/methods/token_file" } ] }, From be87eff22ae2cae147e5c6468f45029b27ec70ad Mon Sep 17 00:00:00 2001 From: VioletHynes Date: Tue, 24 Jan 2023 16:14:17 -0500 Subject: [PATCH 4/6] VAULT-12564 Add note, remove token file removal config --- website/content/docs/agent/autoauth/methods/token_file.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/agent/autoauth/methods/token_file.mdx b/website/content/docs/agent/autoauth/methods/token_file.mdx index cf6b562ecaf0..ae362bade061 100644 --- a/website/content/docs/agent/autoauth/methods/token_file.mdx +++ b/website/content/docs/agent/autoauth/methods/token_file.mdx @@ -4,6 +4,9 @@ page_title: Vault Agent Auto-Auth Token File Method description: Token File Method for Vault Agent Auto-Auth --- +~> Note: This authentication method is tailored for the development experience. +For production Agent installs, we recommend another authentication method. + # Vault Agent Auto-Auth Token File Method The `token_file` method reads in an existing, valid Vault token from a file, and uses that @@ -19,9 +22,6 @@ auto-auth method, such that Agent is issuing its own authentication requests to - `token_file_path` `(string: required)` - The path to the file with the token inside. This token cannot be a wrapping token. -- `remove_token_file_after_reading` `(bool: optional, defaults to false)` - If set to true, -Vault Agent will delete the token file after it has been read. - ## Example Configuration An example configuration, using the `token_file` method to enable [auto-auth](/docs/agent/autoauth), follows: From e676344ebb34f1749f41823a2e7a882084e63755 Mon Sep 17 00:00:00 2001 From: VioletHynes Date: Wed, 25 Jan 2023 08:52:13 -0500 Subject: [PATCH 5/6] VAULT-12564 stronger wording --- .../content/docs/agent/autoauth/methods/token_file.mdx | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/website/content/docs/agent/autoauth/methods/token_file.mdx b/website/content/docs/agent/autoauth/methods/token_file.mdx index ae362bade061..1bfd1d51c2f8 100644 --- a/website/content/docs/agent/autoauth/methods/token_file.mdx +++ b/website/content/docs/agent/autoauth/methods/token_file.mdx @@ -4,18 +4,19 @@ page_title: Vault Agent Auto-Auth Token File Method description: Token File Method for Vault Agent Auto-Auth --- -~> Note: This authentication method is tailored for the development experience. -For production Agent installs, we recommend another authentication method. - # Vault Agent Auto-Auth Token File Method +~> Note: This authentication method is tailored for the development experience, +and to facilitate getting started with Vault Agent. Vault Agent should never be configured to use +this auth method in a production environment. + The `token_file` method reads in an existing, valid Vault token from a file, and uses that token in lieu of authenticating itself. While it's a first class auto-auth method for all intents and purposes, it naturally doesn't authenticate itself, as it requires a token from elsewhere. Like other auto-auth methods, Agent will attempt to renew the token, as appropriate. This auto-auth method is especially useful when testing Vault Agent without needing to set up -any authentication methods in Vault. For long-running Agent processes, we'd recommend another +any authentication methods in Vault. For long-running Agent processes, we strongly recommend another auto-auth method, such that Agent is issuing its own authentication requests to Vault. ## Configuration From b5b7b2b98d23aa3e02568095b817187201787ba1 Mon Sep 17 00:00:00 2001 From: VioletHynes Date: Wed, 25 Jan 2023 10:54:58 -0500 Subject: [PATCH 6/6] VAULT-12564 auth -> auto-auth --- website/content/docs/agent/autoauth/methods/token_file.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/agent/autoauth/methods/token_file.mdx b/website/content/docs/agent/autoauth/methods/token_file.mdx index 1bfd1d51c2f8..7b4bfe311f1e 100644 --- a/website/content/docs/agent/autoauth/methods/token_file.mdx +++ b/website/content/docs/agent/autoauth/methods/token_file.mdx @@ -8,7 +8,7 @@ description: Token File Method for Vault Agent Auto-Auth ~> Note: This authentication method is tailored for the development experience, and to facilitate getting started with Vault Agent. Vault Agent should never be configured to use -this auth method in a production environment. +this auto-auth method in a production environment. The `token_file` method reads in an existing, valid Vault token from a file, and uses that token in lieu of authenticating itself. While it's a first class auto-auth method for all intents