Can Vault agent fetch data key from transit secret engine backend key?

I have a running vault server, I enabled transit secret engine and created a vault transit secret backend_key through terraform.

resource "vault_mount" "transit" {
  path = "transit"
  type = "transit"

resource "vault_transit_secret_backend_key" "transit_key" {
  backend = vault_mount.transit.path
  name    = "test-pagination-key"
  type    = "chacha20-poly1305"

I am able to see the generated backend key in vault UI
enter image description here

Post the creation of this key, I need to go inside key actions and select datakey and select plaintext key and hit “create datakey” to fetch the backend key in plain text format.

enter image description here

enter image description here

I need the data key inside helm chart for my application to make use of it.

How to fetch that data key through the vault agent???, I can use the annotations in the deployment object like

      annotations: "true" "update" "transit/test-pagination-key"

But the data key is not stored directly inside the vault as key value pair, we have to generate the datakey in plain text as shown in the images above.

How can I fetch the data key in plain text from transit backend key??

references There is an API call I can see from vault documentation, Document

sample request
curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \

sample response
  "data": {
    "plaintext": "dGhlIHF1aWNrIGJyb3duIGZveAo=",
    "ciphertext": "vault:v1:abcdefgh"

or there is an alternate cli call, sample below

vault write -f transit/datakey/plaintext/orders

Key            Value
---            -----
ciphertext     vault:v6:muu3qQr8beEnEpCoi3225rCe60V2abzjWy7MC7+1XE5pl7JX4RM+7o65+sly0wwG1HEJaUstEhwVhBro
key_version    6
plaintext      JGrAH+uy+iuYfqIf0DtMBCYc/x7PYQ3NFKkF8+hsFqo=

How can I make this API call or CLI call using the vault agent ??

Kindly gimme some path to proceed forward in this issue

Vault agent uses consul-template for rendering the secrets.

It’s possible to create a PUT/POST request instead of a GET. See the relevant documentation here.

Additionally, you can set the Vault agent annotation value to true to make the agent write its token to /vault/secrets/token, which your Pod can use to run any other vault commands it may need (depending on the policy assigned to the token by the authenticating role).

Lastly, there are other agents that offer first-class support for on-the-fly transit encryption/decryption.