Rendering the Vault Agent token in the Template process

rmcdonald · May 26, 2021, 12:44pm

I have a use case such that my Prometheus server needs a vault token in order to hit the vault metrics endpoint. That token needs to be in the prometheus.yaml file before prometheus starts up.

I’m wondering, is there a way to run the vault agent, and in the template rendering process, can I write out the vault token to the destination file? Is there template syntax that allows me to do that?

Any help is much appreciated!

bobvanderlinden · May 27, 2021, 10:54am

I had the same question and issue yesterday. A coworker showed me the following:

{{ with secret "auth/token/lookup-self" -}}
{{ .Data.id }}
{{ end -}}

This secret is also available using the vault cli:

vault read /auth/token/lookup-self

rmcdonald · May 27, 2021, 11:44am

Amazing! Thanks so much that’s very helpful.

mikegreen · May 27, 2021, 6:22pm

You can have it write to a sink file, encrypted or plain text via: Vault Agent Auto-Auth File Sink | Vault by HashiCorp