mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-26 00:51:08 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
75 lines
2.4 KiB
Plaintext
75 lines
2.4 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Auto-auth with token files
|
|
description: >-
|
|
Use token files for auto-authentication with Vault Agent or Vault Proxy.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# Auto-auth method: token file
|
|
|
|
<Note>
|
|
|
|
This authentication method is tailored for the development experience,
|
|
and to facilitate getting started with Vault Agent and Vault Proxy. Vault Agent and
|
|
Vault Proxy should never be configured to use this auto-auth method in a production environment.
|
|
|
|
</Note>
|
|
|
|
The `token_file` method reads in an existing, valid Vault token from a file, and uses that
|
|
token in lieu of authenticating itself. While it's a first class auto-auth method for all intents
|
|
and purposes, it naturally doesn't authenticate itself, as it requires a token from elsewhere. Like
|
|
other auto-auth methods, this method will attempt to renew the token, as appropriate.
|
|
|
|
This auto-auth method is especially useful when testing Vault Agent or Vault Proxy without needing to set up
|
|
any authentication methods in Vault. For long-running Agent or Proxy processes, we strongly recommend another
|
|
auto-auth method, such that Agent and Proxy are issuing their own own authentication requests to Vault.
|
|
|
|
## Configuration
|
|
|
|
- `token_file_path` `(string: required)` - The path to the file with the token inside. This token cannot be a wrapping token.
|
|
|
|
## Example configuration
|
|
|
|
An example configuration for Vault Agent, using the `token_file` method to enable [auto-auth](/vault/docs/agent-and-proxy/autoauth), follows:
|
|
|
|
```hcl
|
|
pid_file = "./pidfile"
|
|
|
|
vault {
|
|
address = "https://127.0.0.1:8200"
|
|
}
|
|
|
|
auto_auth {
|
|
method {
|
|
type = "token_file"
|
|
|
|
config = {
|
|
token_file_path = "/home/username/.vault-token"
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
api_proxy {
|
|
use_auto_auth_token = true
|
|
}
|
|
|
|
listener "tcp" {
|
|
address = "127.0.0.1:8100"
|
|
tls_disable = true
|
|
}
|
|
|
|
template {
|
|
source = "/etc/vault/server.key.ctmpl"
|
|
destination = "/etc/vault/server.key"
|
|
}
|
|
|
|
template {
|
|
source = "/etc/vault/server.crt.ctmpl"
|
|
destination = "/etc/vault/server.crt"
|
|
}
|
|
```
|