Skip to main content

OpenBao proxy API proxy

OpenBao Proxy's API Proxy functionality allows you to use OpenBao Proxy's API as a proxy for OpenBao's API.

Functionality

The listener stanza for OpenBao Proxy configures a listener for OpenBao Proxy. If its role is not set to metrics_only, it will act as a proxy for the OpenBao server that has been configured in the vault stanza of Proxy Agent. This enables access to the OpenBao API from the Proxy API, and can be configured to optionally allow or force the automatic use of the Auto-Auth token for these requests, as described below.

If a listener has been configured alongside a cache stanza, the API Proxy will first attempt to utilize the cache subsystem for qualifying requests, before forwarding the request to OpenBao. See the caching docs for more information on caching.

Using Auto-Auth token

OpenBao Proxy allows for easy authentication to OpenBao in a wide variety of environments using Auto-Auth. By setting the use_auto_auth_token (see below) configuration, clients will not be required to provide an OpenBao token to the requests made to the Agent. When this configuration is set, if the request doesn't already bear a token, then the auto-auth token will be used to forward the request to the OpenBao server. This configuration will be overridden if the request already has a token attached, in which case, the token present in the request will be used to forward the request to the OpenBao server.

Forcing Auto-Auth token

OpenBao Proxy can be configured to force the use of the auto-auth token by using the value force for the use_auto_auth_token option. This configuration overrides the default behavior described above in Using Auto-Auth Token, and instead ignores any existing OpenBao token in the request and instead uses the auto-auth token.

Configuration (api_proxy)

The top level api_proxy block has the following configuration entries:

  • use_auto_auth_token (bool/string: false) - If set, the requests made to Agent without an OpenBao token will be forwarded to the OpenBao server with the auto-auth token attached. If the requests already bear a token, this configuration will be overridden and the token in the request will be used to forward the request to the OpenBao server. If set to "force" Agent will use the auto-auth token, overwriting the attached OpenBao token if set.

Example configuration

Here is an example of a listener configuration alongside api_proxy configuration to force the use of the auto_auth token and enforce consistency.

# Other OpenBao proxy configuration blocks
# ...

api_proxy {
  use_auto_auth_token = "force"
}

listener "tcp" {
    address = "127.0.0.1:8100"
    tls_disable = true
}