pree
commented
2 years ago This sounds like a good idea. We should consider not using port 8200 for the listener stanza, since this will mostly be installed on the same machine as vault itself.
Closed in0rdr closed 5 months ago
pree
commented
2 years ago This sounds like a good idea. We should consider not using port 8200 for the listener stanza, since this will mostly be installed on the same machine as vault itself.
in0rdr
commented
5 months ago We should not use the listener stanza with the vault agent command anymore, rather, we can implement it with vault proxy, see https://developer.hashicorp.com/vault/docs/agent-and-proxy#introduce-vault-agent-and-vault-proxy-to-the-workflow.
Also, I've opted for a unix socket implementation in #12 instead of the tcp socket. This is a bit more cumbersome when it comes to file permissions (the agent is started as vault user), but we can always do another Ansible variable to implement both later on.
Consider using the auto-auth token for authentication: https://www.vaultproject.io/docs/agent/caching
This requires to amend the Vault Agent with a
listenerstanza. Afterwards, the backup job would no longer connnect to the Vault server, but rather connect to the Vault Agent withuse_auto_auth_token = trueto reuse the same token.