mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-14 02:27:02 +02:00
Code Issues Projects Releases Wiki Activity
415d260995
vault/website/content/docs/agent-and-proxy/autoauth/methods/cert.mdx
Jason Joo a5caf4e1cb
fix: cert auth method watches cert file change and NewCreds() notification (#28126) 
Signed-off-by: Jason Joo <hblzxsj@gmail.com>
2024-10-02 13:41:55 -04:00

45 lines
2.2 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: Vault Auto-Auth Cert Method
description: Cert Method for Vault Auto-Auth
---
# Vault Auto-Auth cert method
The `cert` method uses the configured TLS certificates from the `vault` stanza of
the agent configuration and takes an optional `name` parameter. There is no option
to use certificates which differ from those used in the `vault` stanza.
It is strongly advised to provide TLS settings in the configuration stanza
within the auth method to avoid agent cache, if also enabled, from using the
same TLS settings when proxying requests. If TLS settings are not present in the
config stanza, Agent and Proxy will fall back to using TLS settings from their respective
[`vault` Stanzas](/vault/docs/agent-and-proxy/agent#vault-stanza).
## Configuration
- `name` `(string: optional)` - The trusted certificate role which should be used
when authenticating with TLS. If a `name` is not specified, the auth method will
try to authenticate against [all trusted certificates](/vault/docs/auth/cert#authentication).
- `ca_cert` `(string: optional)` - Path on the local disk to a single
PEM-encoded CA certificate to verify the Vault server's SSL certificate.
- `client_cert` `(string: optional)` - Path on the local disk to a single
PEM-encoded client certificate to use for cert auth method authentication.
- `client_key` `(string: optional)` - Path on the local disk to a single
PEM-encoded private key matching the client certificate from client_cert.
- `reload` `(bool: optional, default: false)` - If true, causes the local x509
key-pair to be reloaded from disk on each authentication attempt. This is useful
in situations where client certificates are short-lived and automatically renewed.
Note that `enable_reauth_on_new_credentials` for auto-auth will need to be additionally
enabled for immediate re-auth on a new certificate.
See [Auto-Auth Configuration](/vault/docs/agent-and-proxy/autoauth#configuration).
- `reload_period` `(duration: "1m", optional)` - The duration after which auto-auth
will check if there are any changes for the files that are configured through
`ca_cert`/`client_cert`/`client_key`. Defaults to `1m`.
Uses [duration format strings](/vault/docs/concepts/duration-format).
Reference in New Issue View Git Blame Copy Permalink