Bootstrap FreeKB - Hashicorp Vault - Enable approle authentication using REST API
Hashicorp Vault - Enable approle authentication using REST API
Updated:   |  Hashicorp Vault articles

This assumes the following has already been done.

The vault auth list command should return something like this.

~]$ vault auth list
Path      Type     Accessor               Description                Version
----      ----     --------               -----------                -------
token/    token    auth_token_5013c38c    token based credentials    n/a

 

The vault auth enable approle command or a POST request to the /v1/sys/auth/approle endpoint (this article) can be used to enable approle authentication.

When you initialized the vault a root token should have been returned, something like hvs.vND8VRSjt7pM7YvkIqECbAZY. The root token can be used in the POST requests.

~]$ curl --header "X-Vault-Token: hvs.vND8VRSjt7pM7YvkIqECbAZY" --request POST --data '{"type": "approle"}' --url http://vault.example.com:8200/v1/sys/auth/approle
2024-03-15T08:42:52.727Z [INFO]  core: enabled credential backend: path=approle/ type=approle version=""

 

And now the vault auth list command should include approle.

~]$ vault auth list
Path        Type       Accessor                 Description                Version
----        ----       --------                 -----------                -------
approle/    approle    auth_approle_5174b018    n/a                        n/a
token/      token      auth_token_5013c38c      token based credentials    n/a

 

Let's create a role named my-role

curl \
--header "X-Vault-Token: hvs.vND8VRSjt7pM7YvkIqECbAZY" \
--request POST \
--data '{"policies": "dev-policy,test-policy"}' \
--url http://vault.example.com:8200/v1/auth/approle/role/my-role

 

And let's return the role-id (694c2831-7b72-7c53-3c86-0d5987c86863 in this example).

~]$ curl --header "X-Vault-Token: hvs.vND8VRSjt7pM7YvkIqECbAZY" --request GET --url http://vault.example.com:8200/v1/auth/approle/role/my-role/role-id
{
 "request_id":"6c3f1781-5fa9-37a5-c13c-cbc3bb479b18",
 "lease_id":"",
 "renewable":false,
 "lease_duration":0,
 "data":{
   "role_id":"694c2831-7b72-7c53-3c86-0d5987c86863"
  },
  "wrap_info":null,
  "warnings":null,
  "auth":null
}

 

And let's create the secret-id.

~]$ curl --header "X-Vault-Token: hvs.vND8VRSjt7pM7YvkIqECbAZY" --request POST --url http://vault.example.com:8200/v1/auth/approle/role/my-role/secret-id
{
  "request_id":"ac9ae985-8966-2806-5aed-8a1efd2f6b86",
  "lease_id":"",
  "renewable":false,
  "lease_duration":0,
  "data":{
    "secret_id":"bddc29f5-c4f1-1be9-9843-ecb0b2d090c0",
    "secret_id_accessor":"f7d876ff-d373-c593-3ce6-f72114cde79f",
    "secret_id_num_uses":0,
    "secret_id_ttl":0
  },
  "wrap_info":null,
  "warnings":null,
  "auth":null
}

 

And here is an example of how you could authenticate to the vault using approle in a Python script.

#!/usr/bin/python3
import hvac

client = hvac.Client(url='http://vault.example.com:8200')

client.auth.approle.login(
  role_id="b4a68549-1464-7aac-b0cd-d22954985aa8",
  secret_id="6039e2e2-6017-8db9-2e1b-dd6bd449f901"
)

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter ed78eb in the box below so that we can be sure you are a human.