Vault config - json vs hcl schema

chrisbecke · March 5, 2021, 9:21am

Server Configuration | Vault by HashiCorp mentions that json, or hcl, can be used to configure vault. And documents the hcl schema. For example, to configure consul as the storage backend, the config might look like this:

storage "consul" {
  address = "127.0.0.1:8500"
  path    = "vault"
}

Then, in rare examples where VAULT_LOCAL_CONFIG is used to configure vault on docker, json might be used to configure consul as a backend:

{
  "backend": {
     "consul": {
       "address": "http://consul:8500"
    }
  }
}

I cannot find any official documentation at all that addresses this marked difference in schema. How is one supposed to infer from the documented hcl schema, what the equivalent json is?

Wolfsrudel · March 6, 2021, 10:04am

github.com

hashicorp/vault/blob/master/command/server/test-fixtures/config.hcl.json

{
	"listener": [{
		"tcp": {
			"address": "127.0.0.1:443"
		}
	}],
	"cluster_cipher_suites": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
	"storage": {
		"consul": {
			"foo": "bar",
			"disable_clustering": "true"
		}
	},
	"service_registration": {
		"consul": {
			"foo": "bar",
		}
	},
	"telemetry": {
		"statsite_address": "baz",

This file has been truncated. show original

You shouldn’t get confused about the “backend” stanza in your configuration example. At some point/ version backend was renamed to storage as you can see in my link.

Hope that will help you out.

Wolfsrudel · March 6, 2021, 10:06am

Just found a second example:

chrisbecke · March 7, 2021, 2:46pm

Oh. That explains the difference. Excellent insight. Thanks.

dekimsey1 · March 10, 2021, 10:09pm

Have you found any examples of the agent json schema?

The agent config test fixtures only have HCL versions of various configs so there’s nothing I can crib from.

After some trial & error I was able to come up with this (still fails):

{
  "auto_auth": {
    "method": {
        "type": "aws",
        "config": {
          "role": "arn:aws:iam::1337:role/my-app",
          "type": "iam"
        },
        "mount_path": "auth/aws"
    },
    "sinks": [{
        "type": "file",
        "config": {
          "path": "/dev/shm/.vault-token"
        }
    }]
  },
  "cache": {
    "use_auto_auth_token": true,
    "force_auto_auth_token": true
  },
  "listener": [{
    "tcp": {
      "address": "127.0.0.1:8100",
      "tls_disable": true
    }
  }]
}

Specifically it fails with Error creating file sink: 'path' not specified for file sink. I looked through config.go to see how it might be parsing the sinks block, but I cannot find where the error in being emitted.

For reference I’m testing this with Vault 1.6.3 and using the officical docker container. Like such: docker run -it -e VAULT_LOCAL_CONFIG=... vault:1.6.3 vault agent -config=/vault/config/local.json

dekimsey1 · March 10, 2021, 10:12pm

Sigh. I figured it out. But I admit, I do not quite understand it. Vault’s error message suggested it read my configured sink, but I think it was just falling back to a default.

The correct form is:

{
   "auto_auth": {
       "sink": [{ ... }]
   ...
}

Topic		Replies	Views
Issue while running the vault server Vault	1	869	August 18, 2021
What can be configured in a .hcl and what can't? Vault	1	175	April 4, 2023
Why do we need consul agent for Vault with Consul as HA backend Vault	3	470	April 21, 2021
What is the recommended storage backend for Vault? Vault	4	5264	June 26, 2023
Whats the difference between storage and backend in the config.hcl file? Vault	1	628	April 10, 2020

Vault config - json vs hcl schema

Related topics