Closed emilywoods closed 1 year ago
greglook
commented
2 years ago Neat, I hadn't looked into the Vault agent before - sounds like it handles many of the things that the client code is doing right now. In that case you'd just want this as a pass-through library, assuming that the agent presents an HTTP API that is otherwise similar to the one that you'd get on the Vault server. 🤔
emilywoods
commented
2 years ago sounds like it handles many of the things that the client code is doing right now
The Agent can be used to handle authentication at least, so applications interacting with the Vault server via the client don't need to worry about this or managing a token. :)
assuming that the agent presents an HTTP API that is otherwise similar to the one that you'd get on the Vault server
The Agent can be used as a proxy, which handles all authentication on behalf of the application. The client can interact with the Vault HTTP API as it is doing now, just without including the X-Vault-Token header.
Would you be open to receiving a PR which could allow vault.client.api-util/api-request to support this?
Vault Agent can be used to handle all of the Vault authentication for an application. This means that the application doesn’t manage its own Vault tokens i.e. it can make API calls to Vault through the agent without having to retrieve a token beforehand, and the app doesn’t need to include the
X-Vault-Tokenheader in the request.As far as I understand, since
api-requestchecks that there is a token associated with the client and includes theX-Vault-Tokenheader in the request, it does not support agent-based authentication.It would be great if this was supported in
api-request, and I believe it would be possible by making the following changes:X-Vault-Tokenheader would be set only if there is a token associated with the client