Rendering the Vault Agent token in the Template process

I have a use case such that my Prometheus server needs a vault token in order to hit the vault metrics endpoint. That token needs to be in the prometheus.yaml file before prometheus starts up.

I’m wondering, is there a way to run the vault agent, and in the template rendering process, can I write out the vault token to the destination file? Is there template syntax that allows me to do that?

Any help is much appreciated!

1 Like

I had the same question and issue yesterday. A coworker showed me the following:

{{ with secret "auth/token/lookup-self" -}}
{{ .Data.id }}
{{ end -}}

This secret is also available using the vault cli:

vault read /auth/token/lookup-self
1 Like

Amazing! Thanks so much that’s very helpful.

You can have it write to a sink file, encrypted or plain text via: Vault Agent Auto-Auth File Sink | Vault by HashiCorp