API-Based Setup for Vault Agent Authentication (Without Vault CLI)

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Available on the Deluxe, Enterprise, and Enterprise+ plans only for Alation Cloud Service

Applies from version 2026.4.1.0

If you do not have access to the Vault CLI on your HashiCorp Vault server, you can perform all of the Vault-side setup for Vault Agent authentication by calling the HashiCorp Vault HTTP API directly. This topic lists the equivalent curl commands for each Vault-side subsection in Step 1: Configure the AWS Auth Method in HashiCorp Vault of Configure Vault Agent Authentication for HashiCorp Vault.

Note

You must have a Vault token that belongs to a user with sufficient admin privileges (typically a token with policies that allow managing auth methods, policies, and roles). All requests below pass this token in the X-Vault-Token header. Replace <VAULT_ADDR> with the base URL of your Vault server (for example, https://vault.example.com:8200) and <VAULT_TOKEN> with your admin token.

A 204 or 200 response indicates success.

Enable the AWS Auth Method

curl --header "X-Vault-Token: <VAULT_TOKEN>" \
  --request POST \
  --data '{"type":"aws"}' \
  <VAULT_ADDR>/v1/sys/auth/aws

A 400 response indicates that the AWS auth method is already enabled on the aws/ path.

To verify that the AWS auth method is enabled:

curl --header "X-Vault-Token: <VAULT_TOKEN>" \
  <VAULT_ADDR>/v1/sys/auth

Look for aws/ in the response body.

Configure the AWS Client for Vault

If your Vault server runs on an AWS compute service with an IAM role attached, configure the replay-attack protection header only:

curl --header "X-Vault-Token: <VAULT_TOKEN>" \
  --request POST \
  --data '{
    "iam_server_id_header_value": "vault.example.com"
  }' \
  <VAULT_ADDR>/v1/auth/aws/config/client

If your Vault server runs outside AWS or needs explicit AWS credentials:

curl --header "X-Vault-Token: <VAULT_TOKEN>" \
  --request POST \
  --data '{
    "access_key": "<AWS_ACCESS_KEY>",
    "secret_key": "<AWS_SECRET_KEY>",
    "iam_server_id_header_value": "vault.example.com"
  }' \
  <VAULT_ADDR>/v1/auth/aws/config/client

Configure Cross-Account Access (Optional)

Skip this subsection if the Alation Agent and your Vault server run in the same AWS account.

curl --header "X-Vault-Token: <VAULT_TOKEN>" \
  --request POST \
  --data '{
    "sts_role": "arn:aws:iam::<OTHER_AWS_ACCOUNT_ID>:role/vault-verify-role"
  }' \
  <VAULT_ADDR>/v1/auth/aws/config/sts/<OTHER_AWS_ACCOUNT_ID>

Create a Vault Policy (Optional)

Skip this subsection if you already have a Vault policy that grants read access to the secrets Alation needs. You can reuse an existing policy when you create the Vault role in the next subsection.

curl --header "X-Vault-Token: <VAULT_TOKEN>" \
  --request POST \
  --data '{
    "policy": "path \"secret/data/alation/*\" {\n  capabilities = [\"read\", \"list\"]\n}\n\npath \"database/creds/alation\" {\n  capabilities = [\"read\"]\n}\n"
  }' \
  <VAULT_ADDR>/v1/sys/policies/acl/alation-agent-policy

Adjust the paths inside the policy field to match the secrets engines and secret locations you want Alation to read from.

Create a Vault Role

For AWS IAM auth:

curl --header "X-Vault-Token: <VAULT_TOKEN>" \
  --request POST \
  --data '{
    "auth_type": "iam",
    "bound_iam_principal_arn": ["arn:aws:iam::<CUSTOMER_AWS_ACCOUNT_ID>:role/<ALATION_AGENT_IAM_ROLE>"],
    "policies": ["alation-agent-policy"],
    "token_ttl": "1h",
    "token_max_ttl": "4h"
  }' \
  <VAULT_ADDR>/v1/auth/aws/role/alation-agent-role

For AWS EC2 auth:

curl --header "X-Vault-Token: <VAULT_TOKEN>" \
  --request POST \
  --data '{
    "auth_type": "ec2",
    "bound_account_id": ["<CUSTOMER_AWS_ACCOUNT_ID>"],
    "bound_vpc_id": ["<VPC_ID>"],
    "bound_iam_instance_profile_arn": ["arn:aws:iam::<CUSTOMER_AWS_ACCOUNT_ID>:instance-profile/<ALATION_AGENT_INSTANCE_PROFILE>"],
    "policies": ["alation-agent-policy"],
    "token_ttl": "1h",
    "token_max_ttl": "4h"
  }' \
  <VAULT_ADDR>/v1/auth/aws/role/alation-agent-ec2-role

Replace "alation-agent-policy" in the policies array with the name of the policy (or multiple policies) that grants access to the secrets Alation needs to read. Use the policy you created in the previous subsection, or any existing policy of your choice.

Verify the Role

Replace <ROLE_NAME> with the role name you used when you created the role — for example, alation-agent-role (AWS IAM auth) or alation-agent-ec2-role (AWS EC2 auth):

curl --header "X-Vault-Token: <VAULT_TOKEN>" \
  <VAULT_ADDR>/v1/auth/aws/role/<ROLE_NAME>

The response body contains the role’s configuration.

For full details on the HashiCorp Vault AWS auth API, see the AWS auth method API reference.