Using json agent config

371 views
Skip to first unread message

shawn wilson

unread,
Aug 23, 2019, 12:33:02 PM8/23/19
to vault...@googlegroups.com
I've been successful in using json as a config format for the vault server (and there are quite a few documented examples of this online) however I've been unable to do the same (or find examples) for the agent config. I /think/ I've already gotten the same error about "at most one "auto_auth" block is allowed".

Can someone provide a working example of an agent json config file?

Becca Petrin

unread,
Aug 23, 2019, 12:58:30 PM8/23/19
to Vault
Hi Shawn,

Would you be willing to post one of the configs you've tried so far that's closest to what you're attempting to do? Any sensitive values redacted, of course. 

-Becca

shawn wilson

unread,
Aug 26, 2019, 11:11:25 AM8/26/19
to vault...@googlegroups.com
Here's what I have (pretty sure hcl -> json is more verbose but that was giving the same thing so...):

(
 "pid file": "/var/run/vault-agent.pid",
 "auto auth":  (
   "method":  (
     "aws":  (
       "config":  (
         "header value": "foo",
         "role": "bar",
         "type": "iam"
        )
      )
    ),
   "sink":  (
     "file":  (
       "config":  (
         "path": "/path/to/vault-token"

        )
      )
    )
  ),
 "vault":  (
   "address": "https://foo:8200"
  )
)


--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/2b2e9b6a-5c61-4383-bffa-df9317009b86%40googlegroups.com.

Hamish Forbes

unread,
Aug 27, 2019, 8:54:23 AM8/27/19
to Vault
I've also just spent all morning wrestling with this.
auto_auth JSON configuration is particularly confusing, the rest of the agent config maps pretty cleanly from the HCL examples/docs.

Here is an example of a working auto_auth config object in JSON:

"auto_auth": {
    "method": [
        {
            "config": {
                "role_id_file_path": "/etc/vault/role_id",
                "secret_id_file_path": "/etc/vault/role_secret"
            },
            "type": "approle"
        }
    ],
    "sinks": [
        {
            "sink": {
                "config": {
                    "path": "/tmp/whatever.token"
                },
                "type": "file"
            }
        }
    ]
}


It would be nice if method mapped to a single object (as in Shawn's example in this thread) given there can only be one method anyway.
Sinks should probably map to an array of sink objects rather than an array of objects with sink as the only key, which in turn contains the sink object. Very confusing.

At the least it would be good to have a working example JSON configuration on the docs site somewhere! :)

Worth creating an Issue for this on Github?

Becca Petrin

unread,
Aug 27, 2019, 12:50:02 PM8/27/19
to Vault
It's definitely worth an issue on Github! We're always improving our docs. It's one thing to write them as the person who wrote a feature and is intimately connected with it, and it's another thing to read it as a person who's newly familiarizing themselves with it. There will always be things we inadvertently leave out and it's very helpful to identify those things in places like this forum and to improve the docs as we go.

Plus there are Vault contributors who love to pick up docs issues as a way to get their feet wet with contributing to Vault.

Becca Petrin

unread,
Aug 27, 2019, 12:52:47 PM8/27/19
to Vault
Shawn,

Also, once you edit your config to be more like Hamish's (thank you Hamish), it might also help to run it through https://jsonlint.com/ to make sure it's properly formatted. I use it all the time, though I never put sensitive values in there because you never know if they're being recorded somewhere.

-B

Hamish Forbes

unread,
Aug 28, 2019, 8:15:59 AM8/28/19
to Vault

shawn wilson

unread,
Aug 28, 2019, 2:57:33 PM8/28/19
to vault...@googlegroups.com
Yes with the example, I got mine to work in a few minutes - thanks

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d1278f83-1d0c-4f53-9707-3586a7b79cd9%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages