What is a Connector?
A Connector is the lightweight agent installed inside your network (data centre, VPC, on a workstation) that lets VaultPAM broker sessions to targets that are not directly reachable from the internet.
Why you need one
Your targets (Windows servers, Linux hosts, databases) typically live behind a firewall. You do not want to punch inbound holes for VaultPAM. A connector solves this by making an outbound reverse tunnel to the VaultPAM control plane: sessions flow through that tunnel, so no inbound firewall changes are needed.
Deployment shapes
- Docker (recommended for servers) — one container per connector.
- Native installer — MSI (Windows), DMG (macOS), DEB/RPM (Linux).
- VM appliance — pre-built OVA for environments that want an immutable, signed VM image.
- Kubernetes — Helm chart (v2 roadmap) or the Kustomize manifests we ship today.
How pairing works
- You click Add Connector in the dashboard. VaultPAM generates a single-use enrolment token.
- You launch the connector with the token (pasted into a
docker run, into a native installer prompt, or — once AIC-1958 lands — via a browser auto-pair flow). - The connector presents the token, solves a certificate challenge, and is issued an mTLS client cert bound to its identity.
- The issued identity is stored under
PAM_AGENT_DATA_DIRand must survive restarts. Use a Docker named volume or bind mount, a durable VM/native host path, or a Kubernetes PVC. - From then on the connector keeps an outbound TLS tunnel open to the control plane. Sessions are multiplexed over that tunnel.
Reachability and routing
A Resource says which Connector can reach it. If you have multiple Connectors in different networks, each Resource points at the right one. VaultPAM never tries to reach the target directly — only through a Connector.
Health
A Connector reports a heartbeat every 10 s. If the heartbeat stops, the dashboard shows Offline and the Connector is removed from routing decisions until it recovers. Sessions in flight through an offline Connector drop gracefully.