»Vault Agent Auto-Auth Kerberos Method
kerberos agent provides an automated mechanism to retrieve
a Vault token for Kerberos entities. It reads in configuration and
identification information from the surrounding environment, and uses
it to authenticate to Vault.
For more on this auth method, see the Kerberos auth method.
krb5conf_pathis the path to a valid
krb5.conffile describing how to communicate with the Kerberos environment.
keytab_pathis the path to the
keytabin which the entry lives for the entity authenticating to Vault. Keytab files should be protected from other users on a shared server using appropriate file permissions.
usernameis the username for the entry within the
keytabto use for logging into Kerberos. This username must match a service account in LDAP.
serviceis the service principal name to use in obtaining a service ticket for gaining a SPNEGO token. This service must exist in LDAP.
realmis the name of the Kerberos realm. This realm must match the UPNDomain configured on the LDAP connection. This check is case-sensitive.
disable_fast_negotiationis for disabling the Kerberos auth method's default of using FAST negotiation. FAST is a pre-authentication framework for Kerberos. It includes a mechanism for tunneling pre-authentication exchanges using armoured KDC messages. FAST provides increased resistance to passive password guessing attacks. Some common Kerberos implementations do not support FAST negotiation.