vHSM Proxy
Learn about using Proxy for authentication, caching, and secure communication to streamline vHSM adoption.
vHSM Proxy simplifies application integration with vHSM by acting as an API proxy. It offers authentication, caching, and secure communication to streamline vHSM adoption.
vHSM Proxy provides the following key features:
Auto-Auth: Automatically authenticates to vHSM and manages token renewal.
API Proxy: Acts as a proxy for vHSM's API, optionally enforcing Auto-Auth token usage.
Caching: Enables client-side caching of tokens and leased secrets, managing renewals automatically.
Features
Auto-Auth
vHSM Proxy supports automatic authentication in diverse environments. Auto-Auth functionality is configured using an auto_auth stanza. See Auto-Auth documentation for details.
API Proxy
vHSM Proxy serves as an API gateway to vHSM, allowing communication via a listener. It can be configured to enforce Auto-Auth token usage. Configure API Proxy behavior using the api_proxy stanza. See API Proxy documentation for more details.
Caching
vHSM Proxy enables client-side caching of authentication tokens and leased secrets. Configuration is managed via the cache stanza. See Caching documentation for details.
API Endpoints
Quit API
Triggers shutdown of the proxy. Disabled by default; enable it using the proxy_api stanza.
Method:
POSTPath:
/proxy/v1/quitSecurity Consideration: Should only be enabled on trusted interfaces as it lacks authentication.
Cache API
For cache API details, refer to the Caching documentation.
Start a vHSM Proxy
Install the vHSM binary on the application server (VM, Kubernetes pod, etc.).
Create a vHSM Proxy configuration file
proxy-config.hclorproxy-config.json. See Example configuration.Start vHSM Proxy with the configuration file:
vhsm proxy -config=/etc/vhsm/proxy-config.hclTo display help options:
vhsm proxy -h
Command Options
Option
Description
-log-level (string: "info")
Sets the log verbosity level. Supported values (in descending detail): trace, debug, info, warn, and error. Can also be set via the VAULT_LOG_LEVEL environment variable.
-log-format (string: "standard")
Sets the log format. Supported values: standard and json. Can also be set via the VAULT_LOG_FORMAT environment variable.
-log-file
Writes all Vault proxy log messages to a file. The value is used as a prefix for the log file name, and the current timestamp is appended. If the path ends with a separator, vault-proxy is appended. If no extension is given, .log is appended. Example: /var/log/ becomes /var/log/vault-proxy-{timestamp}.log. Can be used with -log-rotate-bytes and -log-rotate-duration.
-log-rotate-bytes
Specifies the number of bytes to write to a log file before rotation occurs. If not specified, there is no size limit.
-log-rotate-duration
Specifies the maximum time duration a log file is written to before rotation. Must be a valid duration (e.g., 30s). Defaults to 24h.
-log-rotate-max-files
Specifies the maximum number of archived log files to retain. Defaults to 0 (no files are deleted). Set to -1 to discard old logs when new ones are created.
Configuration File Usage
Provide a single configuration file.
Specify multiple configuration files (merged at runtime).
Define a directory of configuration files (merged at runtime).
Example configuration
pid_file = "./pidfile"
vault {
address = "https://vault.example.com:8200"
retry {
num_retries = 5
}
}
auto_auth {
method "aws" {
mount_path = "auth/aws-subaccount"
config = {
type = "iam"
role = "foobar"
}
}
sink "file" {
config = {
path = "/tmp/token-file"
}
}
}
cache {}
api_proxy {
use_auto_auth_token = true
}
listener "unix" {
address = "/path/to/socket"
tls_disable = true
agent_api {
enable_quit = true
}
}
listener "tcp" {
address = "127.0.0.1:8100"
tls_disable = true
}Last updated
Was this helpful?