Vault
Vault Auto-Auth cert method
The cert
method uses the configured TLS certificates from the vault
stanza of
the agent configuration and takes an optional name
parameter. There is no option
to use certificates which differ from those used in the vault
stanza.
It is strongly advised to provide TLS settings in the configuration stanza
within the auth method to avoid agent cache, if also enabled, from using the
same TLS settings when proxying requests. If TLS settings are not present in the
config stanza, Agent and Proxy will fall back to using TLS settings from their respective
vault
Stanzas.
Configuration
name
(string: optional)
- The trusted certificate role which should be used when authenticating with TLS. If aname
is not specified, the auth method will try to authenticate against all trusted certificates.ca_cert
(string: optional)
- Path on the local disk to a single PEM-encoded CA certificate to verify the Vault server's SSL certificate.client_cert
(string: optional)
- Path on the local disk to a single PEM-encoded client certificate to use for cert auth method authentication.client_key
(string: optional)
- Path on the local disk to a single PEM-encoded private key matching the client certificate from client_cert.reload
(bool: optional, default: false)
- If true, causes the local x509 key-pair to be reloaded from disk on each authentication attempt. This is useful in situations where client certificates are short-lived and automatically renewed. Note thatenable_reauth_on_new_credentials
for auto-auth will need to be additionally enabled for immediate re-auth on a new certificate. See Auto-Auth Configuration.reload_period
(duration: "1m", optional)
- The duration after which auto-auth will check if there are any changes for the files that are configured throughca_cert
/client_cert
/client_key
. Defaults to1m
. Uses duration format strings.