Bootstrap FreeKB - Hashicorp Vault - Enable approle authentication using the vault auth enable command
Hashicorp Vault - Enable approle authentication using the vault auth enable command
Updated:   |  Hashicorp Vault articles

This assumes the following has already been done.

The vault auth list command should return something like this.

~]$ vault auth list
Path      Type     Accessor               Description                Version
----      ----     --------               -----------                -------
token/    token    auth_token_5013c38c    token based credentials    n/a

 

The vault auth enable approle command can be used to enable approle authentication.

~]$ vault auth enable approle
Success! Enabled approle auth method at: approle/

 

And now the vault auth list command should include approle.

~]$ vault auth list
Path        Type       Accessor                 Description                Version
----        ----       --------                 -----------                -------
approle/    approle    auth_approle_5174b018    n/a                        n/a
token/      token      auth_token_5013c38c      token based credentials    n/a

 

Since we just enabled approle and have not yet created any roles in approle, the vault list auth/<auth method>/role command should return something like this.

~]$ vault list auth/approle/role
No value found at auth/approle/role

 

Let's create a role named my-role.

vault write auth/approle/role/my-role \
secret_id_ttl=10m \
token_num_uses=10 \
token_ttl=20m \
token_max_ttl=30m \
secret_id_num_uses=40

 

The vault list auth/<auth method>/role command should now return the role.

~]$ vault list auth/approle/role
Keys
----
my-role

 

And let's return the role-id.

~]$ vault read auth/approle/role/my-role/role-id
Key        Value
---        -----
role_id    b4a68549-1464-7aac-b0cd-d22954985aa8

 

And let's create the secret-id.

~]$ vault write -f auth/approle/role/my-role/secret-id
Key                   Value
---                   -----
secret_id             6039e2e2-6017-8db9-2e1b-dd6bd449f901
secret_id_accessor    c8ef166e-4b09-0e1f-b70e-cb3a871a6460
secret_id_num_uses    40
secret_id_ttl         10m

 

And here is an example of how you could authenticate to the vault using approle in a Python script.

#!/usr/bin/python3
import hvac

client = hvac.Client(url='http://vault.example.com:8200')

client.auth.approle.login(
  role_id="b4a68549-1464-7aac-b0cd-d22954985aa8",
  secret_id="6039e2e2-6017-8db9-2e1b-dd6bd449f901"
)

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 193e34 in the box below so that we can be sure you are a human.