Generate a Vault Agent development configuration file

Use the Vault CLI to create a basic development configuration file to run Vault Agent in process supervisor mode.

Development configuration files include an auto_auth section that reference a token file based on the Vault token used to authenticate the CLI command. Token files are convenient for local testing but are not appropriate for in production. Always use a robust auto-authentication method in production.

Assumptions

You have set up a kv v2 plugin.
Your authentication token has read permissions for the kv v2 plugin.

Use vault agent generate-config to create a development configuration file with environment variable templates:

$ vault agent generate-config
    -type "env-template"                                \
    -exec "<path_to_child_process> <list_of_arguments>" \
    -namespace "<plugin_namespace>"                     \
    -path "<mount_path_to_kv_plugin_1>"                 \
    -path "<mount_path_to_kv_plugin_2>"                 \
    ...
    -path "<mount_path_to_kv_plugin_N>"                 \
    <config_file_name>

For example:

$ vault agent generate-config             \
         -type="env-template"             \
         -exec="./payment-app 'wf-test'"  \
         -namespace="testing"             \
         -path="shared/dev/*"             \
         -path="private/ci/integration"   \
         agent-config.hcl

Successfully generated "agent-config.hcl" configuration file!
Warning: the generated file uses 'token_file' authentication method, which is not suitable for production environments.

The configuration file includes env_template entries for each key stored at the explicit paths and any key encountered while recursing through paths ending with /*. Template keys have the form <final_path_segment>_<key_name>.

For example:

auto_auth {

  method {
    type = "token_file"

    config {
      token_file_path = "/home/<username>/.vault-token"
    }
  }
}

template_config {
  static_secret_render_interval = "5m"
  exit_on_retry_failure         = true
  max_connections_per_host      = 10
}

vault {
  address = "http://192.168.0.1:8200"
}

env_template "SQUARE_API_PROD" {
  contents             = "{{ with secret \"shared/data/dev/square-api\" }}{{ .Data.data.prod }}{{ end }}"
  error_on_missing_key = true
}
env_template "SQUARE_API_SANDBOX" {
  contents             = "{{ with secret \"shared/data/dev/square-api\" }}{{ .Data.data.sandbox }}{{ end }}"
  error_on_missing_key = true
}
env_template "SQUARE_API_SMOKE" {
  contents             = "{{ with secret \"shared/data/dev/square-api\" }}{{ .Data.data.smoke }}{{ end }}"
  error_on_missing_key = true
}
env_template "SEEDS_SEED1" {
  contents             = "{{ with secret \"shared/data/dev/seeds\" }}{{ .Data.data.seed1 }}{{ end }}"
  error_on_missing_key = true
}
env_template "SEEDS_SEED2" {
  contents             = "{{ with secret \"shared/data/dev/seeds\" }}{{ .Data.data.seed2 }}{{ end }}"
  error_on_missing_key = true
}
env_template "DEV_POSTMAN" {
  contents             = "{{ with secret \"private/data/ci/integration\" }}{{ .Data.data.postman }}{{ end }}"
  error_on_missing_key = true
}

exec {
  command                   = ["./payment-app", "'wf-test'"]
  restart_on_secret_changes = "always"
  restart_stop_signal       = "SIGTERM"
}