hashicorp · schavis · Nov 21, 2024 · Nov 20, 2024 · Nov 21, 2024 · Nov 21, 2024
@@ -1,32 +1,42 @@
 ---
 layout: docs
-page_title: Vault Agent and Vault Proxy Auto-Auth
-description: |-
-  Vault Agent and Vault Proxy's Auto-Auth functionality allows easy and automatic
+page_title: What is Auto-authentication?
+description: >-
+  Use auto-authentication with Vault Agent or Vault Proxy to simplify client
   authentication to Vault in a variety of environments.
 ---
 
-# Vault Agent and Vault Proxy Auto-Auth
+# What is Auto-authentication?
 
-The Auto-Auth functionality of Vault Agent and Vault Proxy allow for
-easy authentication in a wide variety of environments.
+Auto-authentication simplifies client authentication in a wide variety of
+environments. The following Vault tools come with auto-authentication built in:
 
-## Functionality
+- Vault Agent
+- Vault Proxy
 
-Auto-Auth consists of two parts: a Method, which is the authentication method
-that should be used in the current environment; and any number of Sinks, which
-are locations where the agent should write a token any time the current token
-value has changed.
+## Methods and sinks
 
-When Vault Agent or Vault Proxy are started with Auto-Auth enabled, it will attempt to acquire a
-Vault token using the configured Method. On failure, it will exponentially back
-off and then retry. On success, unless the auth method is configured to wrap
-the tokens, it will keep the resulting token renewed until renewal is no longer
-allowed. If renewal fails, the token has been revoked, the token has exceeded the maximum number of uses,
-or the token is an otherwise invalid value, it will attempt to reauthenticate.
+Auto-auth consists of two parts:
 
-Every time an authentication is successful, the token is written to the
-configured Sinks, subject to their configuration.
+- a **method** - the desired authentication method for the current environment
+- a **sink** - the location where tools save tokens when the token value changes
+
+When a supported tool starts with auto-auth enabled, the tool requests a Vault
+token using the configured method. If the request fails, the tool retries the
+request with an exponential back off.
+
+Once the request succeeds, the auth-auth renews unwrapped authentication tokens
+automatically until Vault denies the renewal. If the authentication method wraps
+tokens, auto-authentication cannot renew the token automatically.
+
+Vault typically denies renewal if the token:
+
+- the token was revoked.
+- the token has exceeded the maximum number of uses.
+- the token is otherwise invalid.
+
+Every time authentication succeeds, auto-auth writes the token to any
+appropriately configured sink.
 
 ## Advanced functionality
 
@@ -209,7 +219,7 @@ These configuration values are common to all Sinks:
 
 ### Auto auth examples
 
-Auto-Auth configuration objects take two separate forms when specified in HCL
+Auto-auth configuration objects take two separate forms when specified in HCL
 and JSON. The following examples are meant to clarify the differences between
 the two formats.
 

@@ -1,10 +1,11 @@
 ---
 layout: docs
-page_title: Vault Auto-Auth AliCloud Method
-description: AliCloud Method for Vault Auto-Auth
+page_title: Auto-auth with AliCloud
+description: >-
+  Use AliCloud for auto-authentication with Vault Agent or Vault Proxy
 ---
 
-# Vault agent Auto-Auth AliCloud method
+# Auto-auth method: AliCloud
 
 The `alicloud` method performs authentication against the [AliCloud Auth
 method](/vault/docs/auth/alicloud).

@@ -1,10 +1,12 @@
 ---
 layout: docs
-page_title: Vault Auto-Auth AppRole Method
-description: AppRole Method for Vault Auto-Auth
+page_title: Auto-auth with AppRole
+description: >-
+  Use application roles for auto-authentication with Vault Agent or
+  Vault Proxy
 ---
 
-# Vault Auto-Auth AppRole method
+# Auto-auth method: application roles (AppRole)
 
 The `approle` method reads in a role ID and a secret ID from files and sends
 the values to the [AppRole Auth

@@ -1,10 +1,11 @@
 ---
 layout: docs
-page_title: Vault Auto-Auth AWS Method
-description: AWS Method for Vault Auto-Auth
+page_title: Auto-auth with AWS
+description: >-
+  Use AWS for auto-authentication with Vault Agent or Vault Proxy
 ---
 
-# Vault Auto-Auth AWS method
+# Auto-auth method: AWS
 
 The `aws` method performs authentication against the [AWS Auth
 method](/vault/docs/auth/aws). Both `ec2` and `iam`

@@ -1,10 +1,11 @@
 ---
 layout: docs
-page_title: Vault Auto-Auth Azure Method
-description: Azure Method for Vault Auto-Auth
+page_title: Auto-auth with Azure
+description: >-
+  Use Azure for auto-authentication with Vault Agent or Vault Proxy
 ---
 
-# Vault Auto-Auth Azure method
+# Auto-auth method: Azure
 
 The `azure` method reads in Azure instance credentials and uses them to
 authenticate with the [Azure Auth

@@ -1,10 +1,11 @@
 ---
 layout: docs
-page_title: Vault Auto-Auth Cert Method
-description: Cert Method for Vault Auto-Auth
+page_title: Auto-auth with TLS certificates
+description: >-
+  Use TLS certificates for auto-authentication with Vault Agent or Vault Proxy
 ---
 
-# Vault Auto-Auth cert method
+# Auto-auth method: TLS certificates
 
 The `cert` method uses the configured TLS certificates from the `vault` stanza of
 the agent configuration and takes an optional `name` parameter. There is no option

@@ -1,10 +1,11 @@
 ---
 layout: docs
-page_title: Vault Auto-Auth CF Method
-description: CF Method for Vault Auto-Auth
+page_title: Auto-auth with Cloud Foundry
+description: >-
+  Use Cloud Foundry (CF) for auto-authentication with Vault Agent or Vault Proxy
 ---
 
-# Vault agent Auto-Auth CF method
+# Auto-auth method: Cloud Foundry (CF)
 
 The `cf` method performs authentication against the [CF Auth
 method](/vault/docs/auth/cf).

@@ -1,10 +1,12 @@
 ---
 layout: docs
-page_title: Vault Auto-Auth GCP Method
-description: GCP Method for Vault Auto-Auth
+page_title: Auto-auth with GCP
+description: >-
+  Use Google Cloud Platform (GCP) for auto-authentication with Vault Agent or
+  Vault Proxy
 ---
 
-# Vault Auto-Auth GCP method
+# Auto-auth method: Google Cloud Platform (GCP)
 
 The `gcp` method performs authentication against the [GCP Auth
 method](/vault/docs/auth/gcp). Both `gce` and `iam`

@@ -1,10 +1,12 @@
 ---
 layout: docs
-page_title: Vault Auto-Auth JWT Method
-description: JWT Method for Vault Auto-Auth
+page_title: Auto-auth with JSW
+description: >-
+  Use JSON web tokens (JSW) for auto-authentication with Vault Agent or Vault
+  Proxy
 ---
 
-# Vault Auto-Auth JWT method
+# Auto-auth method: JSON web tokens (JSW)
 
 The `jwt` method reads in a JWT from a file and sends it to the [JWT Auth
 method](/vault/docs/auth/jwt).

@@ -1,12 +1,11 @@
 ---
-layout: 'docs'
-page_title: 'Vault Auto-Auth Kerberos Method'
-sidebar_current: 'docs-agent-and-proxy-autoauth-methods-kerberos'
-description: |-
-  Kerberos Method for Vault Auto-Auth
+layout: docs
+page_title: Auto-auth with Kerberos
+description: >-
+  Use Kerberos for auto-authentication with Vault Agent or Vault Proxy
 ---
 
-# Vault Auto-Auth Kerberos method
+# Auto-auth method: Kerberos
 
 The `kerberos` auto-auth method provides an automated mechanism to retrieve
 a Vault token for Kerberos entities. It reads in configuration and

@@ -1,10 +1,11 @@
 ---
 layout: docs
-page_title: Vault Auto-Auth Kubernetes Method
-description: Kubernetes Method for Vault Auto-Auth
+page_title: Auto-auth with Kubernetes
+description: >-
+  Use Kubernetes for auto-authentication with Vault Agent or Vault Proxy
 ---
 
-# Vault Auto-Auth kubernetes method
+# Auto-auth method: Kubernetes
 
 The `kubernetes` method reads in a Kubernetes service account token from the
 running pod (via `/var/run/secrets/kubernetes.io/serviceaccount/token`) and

@@ -1,10 +1,11 @@
 ---
 layout: docs
-page_title: Vault Auto-Auth LDAP Method
-description: LDAP Method for Vault Auto-Auth
+page_title: Auto-auth with LDAP
+description: >-
+  Use LDAP for auto-authentication with Vault Agent or Vault Proxy
 ---
 
-# Vault Auto-Auth LDAP Method
+# Auto-auth method: LDAP
 
 The `ldap` method reads in a password from a file and sends it to the [LDAP Auth
 method](/vault/docs/auth/ldap).

@@ -1,10 +1,12 @@
 ---
 layout: docs
-page_title: Vault Auto-Auth OCI (Oracle Cloud Infrastructure) Method
-description: OCI (Oracle Cloud Infrastructure) Method for Vault Auto-Auth
+page_title: Auto-auth with OCI
+description: >-
+  Use Oracle Cloud Infrastructure (OCI) for auto-authentication with Vault Agent
+  or Vault Proxy
 ---
 
-# Vault Auto-Auth OCI (Oracle Cloud infrastructure) method
+# Auto-auth method: Oracle Cloud Infrastructure (OCI)
 
 The `oci` method performs authentication against the [OCI Auth
 method](/vault/docs/auth/oci).

@@ -1,10 +1,11 @@
 ---
 layout: docs
-page_title: Vault Auto-Auth Token File Method
-description: Token File Method for Vault Auto-Auth
+page_title: Auto-auth with token files
+description: >-
+  Use token files for auto-authentication with Vault Agent or Vault Proxy
 ---
 
-# Vault Auto-Auth token file method
+# Auto-auth method: token file
 
 ~> Note: This authentication method is tailored for the development experience,
 and to facilitate getting started with Vault Agent and Vault Proxy. Vault Agent and

@@ -1,10 +1,11 @@
 ---
 layout: docs
-page_title: Vault Agent and Vault Proxy Auto-Auth File Sink
-description: File sink for Auto-Auth
+page_title: Auto-auth with file sinks
+description: >-
+  Use file sinks for auto-authentication with Vault Agent or Vault Proxy
 ---
 
-# Vault agent and Vault proxy Auto-Auth file sink
+# Auto-auth sink: File
 
 The `file` sink writes tokens, optionally response-wrapped and/or encrypted, to
 a file. This may be a local file or a file mapped via some other process (NFS,

@@ -1,12 +1,12 @@
 ---
 layout: docs
-page_title: Vault Agent and Vault Proxy
-description: |-
-  Vault Agent and Vault Proxy are daemons that can be used to perform some Vault
-  functionality automatically.
+page_title: Why use Agent or Proxy?
+description: >-
+  Use Vault tools like Agent and Proxy to simplify secret fetching and add Vault
+  to your development environment with minimal client code updates.
 ---
 
-# Vault Agent and Vault Proxy
+# Why use Agent or Proxy?
 
 A valid client token must accompany most requests to Vault. This
 includes all API requests, as well as via the Vault CLI and other libraries.