Client vs. Agent

I have used “Vault -server - dev” with a local client. From what I understand, the client needs a URL to connect to the server. So I have a question. Since my client can access the server through a URL (some web API), why would I need an agent? I know the agent keeps synchronized with the server, negociates keys and stuff, but then the client accesses the server directly right and everything is synchronized there, right? So what’s the benefit of using an agent over a direct client?

Vault is primarily intended as a secrets management solution for application secrets (i.e you need your server to grab the secret without human involvement). The ability for developers to interact directly is a nice bonus.

The agent is a convenient way to establish and maintain an authenticated session to the Vault instance. Additionally the agent can pull down secrets and renew secret leases to keep them valid using HCL configuration files.

You do not need to use the agent, however it is provided for scenarios where your application cannot be updated to interact with Vault directly (e.g. using one of the available API libraries).

Thanks Jeff! But still if I use a client process (I mean I call Vault.exe with some argument, like “vault read database/creds/VaultDynamicRole” and then I parse STDOUT to get my answer) while I have set a remote URL like “Set VAULT_ADDR=http://MyVaultServer:8200”, 1) I will get the same answer as with an agent local and synchronized, right? and 2) Is there any difference as to the encryption of data over the network?

You’ll get the same response back, the difference is agent will handle any lease renewals or re-retrieval of secrets for you (in the even the lease hits its max) or the authenticated session expires.

When using the command above it’s a point-in-time retrieval. If you want to renew the lease you’ll have to run another command such as vault lease renew database/creds/VaultDynamicRole/<lease_id> to keep the credential alive. Or if the TTL has fully expired you’ll need to re-request with your original command. Also, keep in mind, with certain secrets if your authenticated session expires your checked out secret will be revoked as a result. So in addition to keeping the secret leases up to date you’ll need to keep your authenticated session live as well. This is all stuff the agent handles for you.

Encryption should be the same, provided you’re using an HTTPS connection to your Vault instance. Depending on your configuration you may need to provide the agent with your Vault instance’s CA public cert to establish trust - but if you don’t need to do that with the regular vault commands you shouldn’t need to with the agent either.