A developer team requests integration of their legacy application with Vault to encrypt and decrypt data for a backend database. They cannot modify the application for Vault authentication. What is the best way to achieve this integration?
A.
Enable the Transit secrets engine and configure the secrets engine to send data directly to the legacy app
B.
Have the app team call the Vault API to encrypt and decrypt the required data
C.
Enable and configure the Kubernetes auth method to allow the application to authenticate to Vault using a JWT
D.
Run the Vault Agent on the application server(s) and use the Auto Auth feature to manage the tokens
The Vault Agent with Auto-Auth is ideal for legacy apps unable to modify for authentication. The Vault documentation states:
"Legacy applications often suffer from the ability to integrate with modern platforms such as Vault. To assist with this, you can use the Vault Agent to authenticate and manage a Vault token automatically. The token is written to a sink (local file) that the application can pick up and use. The Vault Agent Auto Auth feature will manage the lifecycle of the token to ensure there is always a valid token that the application can use."
—Vault Agent Auto Auth
D: Correct. The Agent handles tokens for Transit encryption:
"Running the Vault Agent on the application server(s) and utilizing the Auto Auth feature is the best way to integrate Vault with the legacy application."
—Vault Agent Auto Auth
A: Transit doesn’t send data directly.
B: Requires app modification, not feasible.
C: Kubernetes auth requires app changes and Kubernetes context.
[References:, Vault Agent Auto Auth, Vault Secrets: Transit, ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit