Install vault agent secret

Data Integrity Suite
Product
Spatial_Analytics
Data_Integration
Data_Enrichment
Data_Governance
Precisely_Data_Integrity_Suite
geo_addressing_1
Data_Observability
Data_Quality
dis_core_foundation
Services
Spatial Analytics
Data Integration
Data Enrichment
Data Governance
Geo Addressing
Data Observability
Data Quality
Core Foundation
ft:title
Data Integrity Suite
ft:locale
en-US
PublicationType
pt_product_guide
copyrightfirst
2000
copyrightlast
2026

Limited Availability: This feature is currently available only in select workspaces and might be subject to change before general availability.

The Vault Agent Secret is required when using the agent authentication method for key vault connections. This topic explains how to enable the feature and configure the agent secret using the available authentication methods.

Prerequisites: Before you begin:

  • You have network access to your Vault instance.

  • Your environment is able to run DISCLI commands.

  • You have the appropriate Vault credentials (AppRole values, TLS certificate files, or a secret file).

Enable vault agent secret support

If you are installing the agent for the first time, no additional steps are required. To install the agent, see Install an agent. If the agent is already installed in your environment, run the following command to enable the key vault agent secret feature:

./discli updateCli

After the update completes, you can configure the vault agent secret using one of the methods below.

Configure the vault agent secret

Choose one of the following authentication method required by your vault environment.
Note: Variables displayed in angle brackets (< >) in the UI must be replaced with your own values. Do not include the brackets when running commands.
  • Option 1: Add agent secret key with AppRole
    ./discli keyvault deploySecret \
  --agent-secret-key <agent secret key> \
  --url <hostUrl:port> \
  --authentication-method approle \
  --role-id <role-id> \
  --secret-id <secret-id>
  • Option 2: Add agent secret key with TLS certificates
    ./discli keyvault deploySecret \
  --agent-secret-key <agent secret key> \
  --url <hostUrl:port> \
  --authentication-method tls \
  --tls-cert-file <cert pem file> \
  --private-key-file <key pem file>
  • Option 3: Add agent secret using a secret file
    ./discli keyvault deploySecret \
  --agent-secret-key <agent secret key> \
  --agent-secret-file <agentSecretFile.json>

Required JSON format for a secret file

When using the --agent-secret-file option, the JSON file must follow one of the formats shown below, depending on your vault authentication method.

The required JSON format for a secret file section in the UI is presented as a collapsible (click-to-expand) panel. When expanded, you see the following commands:

  • For AppRole authentication
    {
  "hostname": "<host url:port>",
  "authenticationMethod": "approle",
  "roleId": "<role id>",
  "secretId": "<secret id>",
  "vaultType": "hashicorp"
}
  • For TLS certificate authentication
    {
  "hostname": "<host url:port>",
  "authenticationMethod": "tls",
  "tlsCertificate": "<tls certificate>",
  "privateKey": "<private key>",
  "vaultType": "hashicorp"
}

Verify the installation

After the agent secret is configured:

  1. Return to the Add Key Vault page.

  2. Select the agent secret key you created.

  3. Click Test Connection.

If the connection test succeeds, the key vault is ready for use.