Enable `vault.client.api-util/api-request` to support Agent-based authentication
Closed this issue · 2 comments
Vault Agent can be used to handle all of the Vault authentication for an application. This means that the application doesn’t manage its own Vault tokens i.e. it can make API calls to Vault through the agent without having to retrieve a token beforehand, and the app doesn’t need to include the X-Vault-Token
header in the request.
As far as I understand, since api-request
checks that there is a token associated with the client and includes the X-Vault-Token
header in the request, it does not support agent-based authentication.
It would be great if this was supported in api-request
, and I believe it would be possible by making the following changes:
- The client authentication check could be made optional
- The
X-Vault-Token
header would be set only if there is a token associated with the client
Neat, I hadn't looked into the Vault agent before - sounds like it handles many of the things that the client code is doing right now. In that case you'd just want this as a pass-through library, assuming that the agent presents an HTTP API that is otherwise similar to the one that you'd get on the Vault server. 🤔
sounds like it handles many of the things that the client code is doing right now
The Agent can be used to handle authentication at least, so applications interacting with the Vault server via the client don't need to worry about this or managing a token. :)
assuming that the agent presents an HTTP API that is otherwise similar to the one that you'd get on the Vault server
The Agent can be used as a proxy, which handles all authentication on behalf of the application. The client can interact with the Vault HTTP API as it is doing now, just without including the X-Vault-Token
header.
Would you be open to receiving a PR which could allow vault.client.api-util/api-request
to support this?