Vault Agent and Proxy#
A valid client token must accompany most requests to Vault. This includes all API requests, as well as via the Vault CLI and other libraries. Therefore, Vault clients must first authenticate with Vault to acquire a token. Vault provides several authentication methods to assist in delivering this initial token.
When a client acquires a token, all subsequent requests within Vault are processed based on the trust established by a successful authentication. This means that a client application must invoke the Vault API to authenticate and manage the acquired token.
A process like this might require code changes, additional maintenance, and testing to ensure the proper retrieval and management of the client token. Although this might be fine for a small amount of applications with strict customized control, it may not be scalable for a large number of applications.
Introducing Vault Agent and Vault Proxy#
Vault Agent and Vault Proxy aim to remove this initial hurdle to adopt Vault by providing a more scalable and simpler way for applications to integrate with Vault. Vault Agent can obtain secrets and provide them to applications, and Vault Proxy can act as a proxy between Vault and the application, optionally simplifying the authentication process and caching requests.
The differences between the Vault Agent and Vault Proxy can be seen below:
Note
Although Vault Agent can be used as an API proxy, it is HIGHLY RECOMMENDED to not use Vault Agent for this purpose as it will soon be deprecated. Please use the Vault Proxy instead.
| Capability | Vault Agent | Vault Proxy |
|---|---|---|
| Auto-Auth to authenticate with Vault |  |
|
| Run as a Windows Service | |
|
| Caching the newly created tokens and leases | |
|
| Templating to render user-supplied templates | |
 |
| Process Supervisor for injecting secrets as environment variables into a process | |
|
| API Proxy to act as a proxy for Vault API | |
|
| Static secret caching for KV secrets | |
|