From 5e42f9a8d3b6a8bab2cc20c4b50f53793b03e663 Mon Sep 17 00:00:00 2001 From: Violet Hynes Date: Wed, 28 Feb 2024 10:28:51 -0500 Subject: [PATCH] VAULT-24385 docs updates for proxy static secret caching -> ent (#25677) * VAULT-24385 docs updates for proxy static secret caching -> ent * VAULT-24385 we -> you --- changelog/23621.txt | 2 +- .../proxy/caching/static-secret-caching.mdx | 16 +++++++++++----- website/data/docs-nav-data.json | 7 ++++++- 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/changelog/23621.txt b/changelog/23621.txt index 0db83bd2df..2af5f337e6 100644 --- a/changelog/23621.txt +++ b/changelog/23621.txt @@ -1,3 +1,3 @@ ```release-note:feature -**Vault Proxy Static Secret Caching**: Adds support for static secret (KVv1 and KVv2) caching to Vault Proxy. +**Vault Proxy Static Secret Caching (enterprise)**: Adds support for static secret (KVv1 and KVv2) caching to Vault Proxy. ``` diff --git a/website/content/docs/agent-and-proxy/proxy/caching/static-secret-caching.mdx b/website/content/docs/agent-and-proxy/proxy/caching/static-secret-caching.mdx index 3a16a1a9b9..3a2595ddb3 100644 --- a/website/content/docs/agent-and-proxy/proxy/caching/static-secret-caching.mdx +++ b/website/content/docs/agent-and-proxy/proxy/caching/static-secret-caching.mdx @@ -8,19 +8,25 @@ description: |- # Vault Proxy static secret caching +@include 'alerts/enterprise-only.mdx' + Use static secret caching with Vault Proxy to cache KVv1 and KVv2 secrets to minimize requests made to Vault and provide resilient connections for clients. +Vault Proxy utilizes the Enterprise only [Vault event notification system](/vault/docs/concepts/events) +feature for cache freshness. As a result, static secret caching can only be used +with Vault Enterprise installations. + ## Step 1: Subscribe Vault Proxy to KV events Vault Proxy uses Vault events and auto-auth to monitor secret status and make appropriate cache updates. 1. Enable [auto-auth](/vault/docs/agent-and-proxy/autoauth). 1. Create an auto-auth token with permission to subscribe to KV event updates -with the [Vault event system](/vault/docs/concepts/events). For example, to -create a policy that grants access to static secret (KVv1 and KVv2) events, -we need permission to subscribe to the `events` endpoint, as well as the -`list` and `subscribe` permissions on KV secrets we want to get secrets +with the [Vault event notification system](/vault/docs/concepts/events). For +example, to create a policy that grants access to static secret (KVv1 and KVv2) +events, you need permission to subscribe to the `events` endpoint, as well as +the `list` and `subscribe` permissions on KV secrets you want to get secrets from: ```hcl path "sys/events/subscribe/kv*" { @@ -80,7 +86,7 @@ success `GET` request. If the request is successful, Proxy caches the fact that the token was successful in addition to the result. Subsequent requests by the same token can then access this secret from the cache instead of Vault. -Vault Proxy uses the [event system](/vault/docs/concepts/events) to keep the +Vault Proxy uses the [event notification system](/vault/docs/concepts/events) to keep the cache up to date. It monitors the KV event feed for events related to any secret currently stored in the cache, including modification events like updates and deletes. When Proxy detects a change in a cached secret, it will update or diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index e325c8abc6..62548139ac 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -1198,7 +1198,12 @@ }, { "title": "Static Secret Caching", - "path": "agent-and-proxy/proxy/caching/static-secret-caching" + "path": "agent-and-proxy/proxy/caching/static-secret-caching", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + } }, { "title": "Persistent Caching",