I have been going through the various learn guides. For Vault in particular, there are a few pages discussing setting up the client agent, but with Consul and Nomad all having Vault integration, it’s not super clear to me what the agent should be used for
Sure. Well, let’s suppose you’re using the AWS auth engine, and you have some application that needs creds from the login endpoint. Perhaps your application is in Python, or perhaps it’s in Go, but it’s still difficult to write the code around the iam_request_body field. You have two main options - you can either write some code on your end that hits the endpoint, or you can use the Vault agent.
The agent can be configured to hit various auth endpoints for you, and just push a token out to a file for your application to use. The idea is that it’ll be much easier to implement using Vault to authenticate applications, if the agent takes care of most of the work for you. Instead of writing a bunch of code to generate a correct iam_request_body and call Vault, responding to various potential error codes, all your application has to do is look in a local file for a token.
That makes sense. It might be worth a note or callout earlier in the Vault Learn guides that explain the integration patterns in the Nomad and Consul agents vs external client agent.