Vault Agent - only allow local requests, but keep TLS

I only want requests to vault agent from the local host. In vault agent config, I could set the listener address to “localhost,” but that breaks TLS because it doesn’t match the domain name on the certificate.

How can I allow only local requests, while keeping TLS working?

I suppose you could define a custom name in the machine’s /etc/hosts file that is also associated with the loopback IP address, and issue a TLS certificate for that custom name - and then set the listener address to localhost.

Or you could just not use TLS. It’s not clear to me that TLS is an effective protection against adversaries already in a position to intercept localhost traffic.

Using an agent and having TLS on loopback makes no sense.

If someone who wants to “peek” at the data is on the machine, they have access to the agent directly, they don’t need to snoop on the connection.

This is also meaningless but if just need the data to be not transmitted even locally in the clear then use wrapped tokens – which sort of defeats the purpose of having an agent as the application will have to communicate with Vault with unwrap – but that’s something at least.