Saturday, 13 Jul 2024

Vault Agent – Secrets as Environment Variables

vault environment variables

Consul Template and Envconsul tools have been widely used by the Vault practitioners to help integrate Vault in their existing solutions. Vault 1.3.0 introduced the Vault Agent Template feature, which provides the workflow that Consul Template provides. Vault 1.14 introduced the process supervisor mode to retrieve secrets from Vault as environment variables using Consul Template markup.


To complete this tutorial, you will need:

  • Vault binary version 1.14.0 or later.

Lab Setup

Setup Test Secrets

  1. In your terminal, clone the learn-vault-agent-envconsul repository, which contains the example configuration used in this tutorial.
  2. Explore the repository by changing directories. The folder includes the following files.
  3. Run the script. This script enables kv-v2 secrets engine at web-team/ and dev-app/ paths and creates initial test data. It also configures PKI secrets engine to generate certificates, which you will leverage in later sections.
  4. Read the secrets created at web-team/data/api-keys.
  5. Read the secrets created at dev-app/data/creds.
  6. Read the secrets created at dev-app/data/creds/database/db-admin.

Generate a Vault Agent Config File

Vault Agent introduced the generate-config subcommand to auto-generate the agent configuration file based on the user input.

Tham Khảo Thêm:  Advisory: Persistent MFA Circumvention in an Advanced BEC Campaign on Microsoft 365 Targets


Run the generate-config Subcommand

Generates a Vault Agent configuration file named agent-config.hcl at the current working directory. If your application needs to pull secrets from multiple paths, you can provide multiple -path options as well as the wildcards (*).

  1. Generate a Vault Agent configuration file named agent-config.hcl and pass the as the command to execute.
  2. Open the generated configuration file with your preferred text editor to examine. The auto_auth stanza is using token_file as a placeholder. You can change the stanza to use the desired auth method.

Process Supervisor Mode

Each generated env_template block maps to a secret key of a KV path that you passed in the command. The exec block sets the script as the command for Vault Agent to execute. Open and examine the file. It reads secrets as environment variables. This application does not need to know about Vault.

Start a Vault Agent

Start a Vault Agent instance that connects to the Vault server running at VAULT_ADDR.

  1. Start a Vault Agent.

Restarts on Secrets Change

The secret values could change while your application is running. Examine the behavior when the secret values change.

  1. Add sleep 100 in the to mock a long-running application.
  2. Edit the file to set the static_secret_render_interval to 10 seconds for the purpose of demonstration. This makes Vault Agent pull the secrets every 10 seconds.
  3. Start the Vault Agent again.
  4. Open another terminal and connect to the target Vault server.
  5. Update the secret values at web-team/data/api-keys.
  6. Return to the terminal where Vault Agent is running and watch the output.
  7. Press Ctrl + C to stop the running Vault Agent.
Tham Khảo Thêm:  How to Recover Samsung Notes without Backup

Work with Dynamic Secrets

Currently, the generate-config subcommand only supports kv-v1 and kv-v2 secrets engines. However, the Vault Agent’s process supervisor mode supports dynamic secrets that Envconsul supports today. The difference is that you would have to manually define the env_template blocks.

  1. The script configured the PKI secrets engine, and it is ready to serve.
  2. (Optional) Request a certificate.
  3. Open the pki-agent-config.hcl to examine the env_template block it defines.
  4. Open the file to review. This mock application gets a certificate stored in the CERT environment variable. Similar to the, this application does not need to know anything about Vault.
  5. Run a Vault Agent with an additional env_template definition.

Clean Up


You learned the use of the generate-config subcommand and the process supervisor mode to take advantage of secrets presented as environment variables. Vault Agent can handle the authentication and secret retrieval so that your application can remain Vault unaware. This reduces the barrier to adopting Vault and keeps your applications secure.

Frequently Asked Questions


Help and Reference