but even when I use the loopback (e.g. exactly as written in the install instructions) I’m getting the same API error.
I think the install instructions show an IP address, not a local IP address or loopback address. If you found documentation that shows otherwise please let me know.
My assumption is that
--publish should be doing all the heavy lifting for exposing the vault endpoint to the host.
Publish will expose the port on the host machine, but 0.0.0.0 and localhost refers to the network inside of the container, not the host machine. You therefore cannot access a host-machine address and port from inside a container using 0.0.0.0 or localhost. Specifically, you cannot reach vault at 0.0.0.0 from inside the plugin container.
If you find yourself struggling with networking, you could just set the agent and plugin container to
--network=host and avoid using an isolated network all together.
Is there a way to provide token-based authentication through the host?
Sorry I’m not sure I understand the question.