2015-07-15 13:26:31 +00:00
|
|
|
---
|
|
|
|
layout: "intro"
|
2015-07-19 19:29:06 +00:00
|
|
|
page_title: "Using the HTTP APIs with Authentication"
|
2015-07-15 13:26:31 +00:00
|
|
|
sidebar_current: "gettingstarted-apis"
|
|
|
|
description: |-
|
2015-07-19 19:29:06 +00:00
|
|
|
Using the HTTP APIs for authentication and secret access.
|
2015-07-15 13:26:31 +00:00
|
|
|
---
|
|
|
|
|
2015-07-19 19:29:06 +00:00
|
|
|
# Using the HTTP APIs with Authentication
|
2016-10-11 20:07:48 +00:00
|
|
|
All of Vault's capabilities are accessible via the HTTP API in addition to the
|
|
|
|
CLI. In fact, most calls from the CLI actually invoke the HTTP API. In some
|
|
|
|
cases, Vault features are not available via the CLI and can only be accessed
|
|
|
|
via the HTTP API.
|
2015-07-19 20:52:11 +00:00
|
|
|
|
2016-10-11 20:07:48 +00:00
|
|
|
Once you have started the Vault server, you can use `curl` or any other http
|
|
|
|
client to make API calls. For example, if you started the Vault server in
|
|
|
|
[development mode](/docs/concepts/dev-server.html), you could validate the
|
|
|
|
initialization status like this:
|
2015-07-15 13:26:31 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
```javascript
|
2015-07-16 13:29:52 +00:00
|
|
|
$ curl http://127.0.0.1:8200/v1/sys/init
|
2015-07-19 20:52:11 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
This will return a JSON response:
|
2015-07-15 13:26:31 +00:00
|
|
|
|
2015-07-19 20:52:11 +00:00
|
|
|
```javascript
|
2015-10-12 16:10:22 +00:00
|
|
|
{ "initialized": true }
|
2015-07-15 13:26:31 +00:00
|
|
|
```
|
|
|
|
|
2015-07-19 20:52:11 +00:00
|
|
|
## Accessing Secrets via the REST APIs
|
2016-10-11 20:07:48 +00:00
|
|
|
Machines that need access to information stored in Vault will most likely
|
|
|
|
access Vault via its REST API. For example, if a machine were using
|
2016-10-28 05:24:25 +00:00
|
|
|
[AppRole](/docs/auth/approle.html) for authentication, the application would
|
2016-10-11 20:07:48 +00:00
|
|
|
first authenticate to Vault which would return a Vault API token. The
|
|
|
|
application would use that token for future communication with Vault.
|
2015-07-16 13:29:52 +00:00
|
|
|
|
2016-10-11 20:07:48 +00:00
|
|
|
For the purpose of this guide, we will use the following configuration which
|
2016-10-28 05:24:25 +00:00
|
|
|
disables TLS and uses a file-based backend. TLS is disabled here only for
|
|
|
|
exemplary purposes and it should never be disabled in production.
|
2015-07-16 13:29:52 +00:00
|
|
|
|
2015-07-19 20:52:11 +00:00
|
|
|
```javascript
|
|
|
|
backend "file" {
|
|
|
|
path = "vault"
|
|
|
|
}
|
2015-07-16 13:29:52 +00:00
|
|
|
|
2015-07-19 20:52:11 +00:00
|
|
|
listener "tcp" {
|
|
|
|
tls_disable = 1
|
|
|
|
}
|
2015-07-16 13:29:52 +00:00
|
|
|
```
|
2015-07-19 20:52:11 +00:00
|
|
|
|
|
|
|
Save this file on disk and then start the Vault server with this command:
|
2015-07-16 13:29:52 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
```javascript
|
2015-07-16 13:29:52 +00:00
|
|
|
$ vault server -config=/etc/vault.conf
|
2015-07-19 20:52:11 +00:00
|
|
|
```
|
|
|
|
|
2016-10-11 20:07:48 +00:00
|
|
|
At this point, we can use Vault's API for all our interactions. For example, we
|
|
|
|
can initialize Vault like this:
|
2015-07-19 20:52:11 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
```javascript
|
2015-07-19 20:52:11 +00:00
|
|
|
$ curl \
|
|
|
|
-X PUT \
|
|
|
|
-d "{\"secret_shares\":1, \"secret_threshold\":1}" \
|
2016-10-28 13:23:05 +00:00
|
|
|
http://127.0.0.1:8200/v1/sys/init
|
2015-07-19 20:52:11 +00:00
|
|
|
```
|
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
The response should be JSON and looks something like this:
|
2015-07-19 20:52:11 +00:00
|
|
|
|
|
|
|
```javascript
|
|
|
|
{
|
2016-10-28 05:24:25 +00:00
|
|
|
"root_token": "4f66bdfa-f5e4-209f-096c-6e01d863c145",
|
|
|
|
"keys_base64": [
|
|
|
|
"FwwsSzMysLgYAvJFrs+q5UfLMKIxC+dDFbP6YzyjzvQ="
|
|
|
|
],
|
|
|
|
"keys": [
|
|
|
|
"170c2c4b3332b0b81802f245aecfaae547cb30a2310be74315b3fa633ca3cef4"
|
|
|
|
]
|
2015-07-19 20:52:11 +00:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2016-10-11 20:07:48 +00:00
|
|
|
This response contains our initial root token. It also includes the unseal key.
|
|
|
|
You can use the unseal key to unseal the Vault and use the root token perform
|
|
|
|
other requests in Vault that require authentication.
|
2015-07-19 20:52:11 +00:00
|
|
|
|
2016-10-11 20:07:48 +00:00
|
|
|
To make this guide easy to copy-and-paste, we will be using the environment
|
|
|
|
variable `$VAULT_TOKEN` to store the root token. You can export this Vault
|
|
|
|
token in your current shell like this:
|
2015-07-19 20:52:11 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
```javascript
|
|
|
|
$ export VAULT_TOKEN=4f66bdfa-f5e4-209f-096c-6e01d863c145
|
2015-07-19 20:52:11 +00:00
|
|
|
```
|
2015-07-16 13:29:52 +00:00
|
|
|
|
2016-10-11 20:07:48 +00:00
|
|
|
Using the unseal key (not the root token) from above, you can unseal the Vault
|
|
|
|
via the HTTP API:
|
2015-07-19 20:52:11 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
```javascript
|
2015-07-19 20:52:11 +00:00
|
|
|
$ curl \
|
2015-10-12 16:10:22 +00:00
|
|
|
-X PUT \
|
2016-10-28 05:24:25 +00:00
|
|
|
-d '{"key": "FwwsSzMysLgYAvJFrs+q5UfLMKIxC+dDFbP6YzyjzvQ="}' \
|
2015-10-12 16:10:22 +00:00
|
|
|
http://127.0.0.1:8200/v1/sys/unseal
|
2015-07-15 13:26:31 +00:00
|
|
|
```
|
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
Note that you should replace `FwwsSzM...` with the generated key from your
|
2016-10-11 20:07:48 +00:00
|
|
|
output. This will return a JSON response:
|
2015-07-19 20:52:11 +00:00
|
|
|
|
|
|
|
```javascript
|
|
|
|
{
|
2016-10-28 05:24:25 +00:00
|
|
|
"cluster_id": "1c2523c9-adc2-7f3a-399f-7032da2b9faf",
|
|
|
|
"cluster_name": "vault-cluster-9ac82317",
|
|
|
|
"version": "0.6.2",
|
|
|
|
"progress": 0,
|
2015-07-19 20:52:11 +00:00
|
|
|
"n": 1,
|
2016-10-28 05:24:25 +00:00
|
|
|
"t": 1,
|
|
|
|
"sealed": false
|
2015-07-19 20:52:11 +00:00
|
|
|
}
|
2015-07-15 13:26:31 +00:00
|
|
|
```
|
2015-07-19 19:29:06 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
Now any of the available authentication backends can be enabled and configured.
|
|
|
|
For the purposes of this guide lets enable [AppRole](/docs/auth/approle.html)
|
|
|
|
authentication.
|
2015-07-19 20:52:11 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
Start by enabling the AppRole authentication.
|
2015-07-19 20:52:11 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
```javascript
|
|
|
|
$ curl -X POST -H "X-Vault-Token:$VAULT_TOKEN" -d '{"type":"approle"}' http://127.0.0.1:8200/v1/sys/auth/approle
|
2015-07-19 20:52:11 +00:00
|
|
|
```
|
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
Notice that the request to enable the AppRole endpoint needed an authentication
|
|
|
|
token. In this case we are passing the root token generated when we started
|
|
|
|
the Vault server. We could also generate tokens using any other authentication
|
2016-10-11 20:07:48 +00:00
|
|
|
mechanisms, but we will use the root token for simplicity.
|
2015-07-19 20:52:11 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
Now create an AppRole with desired set of [ACL
|
|
|
|
policies](/docs/concepts/policies.html). In the following command, it is being
|
|
|
|
specified that the tokens issued under the AppRole `testrole`, should be
|
|
|
|
associated with `dev-policy` and the `test-policy`.
|
2015-07-16 13:29:52 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
```javascript
|
2016-10-28 13:23:05 +00:00
|
|
|
$ curl -X POST -H "X-Vault-Token:$VAULT_TOKEN" -d '{"policies":"dev-policy,test-policy"}' http://127.0.0.1:8200/v1/auth/approle/role/testrole
|
2015-07-16 13:29:52 +00:00
|
|
|
```
|
2015-07-19 19:29:06 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
The AppRole backend, in its default configuration expects two hard to guess
|
|
|
|
credentials, a role ID and a secret ID. This command fetches the role ID of
|
|
|
|
the `testrole`.
|
2015-07-19 20:52:11 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
```javascript
|
2016-10-28 13:23:05 +00:00
|
|
|
$ curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" http://127.0.0.1:8200/v1/auth/approle/role/testrole/role-id | jq .
|
2015-07-19 20:52:11 +00:00
|
|
|
```
|
2016-10-28 05:24:25 +00:00
|
|
|
|
|
|
|
```javascript
|
|
|
|
{
|
|
|
|
"auth": null,
|
|
|
|
"warnings": null,
|
|
|
|
"wrap_info": null,
|
|
|
|
"data": {
|
|
|
|
"role_id": "988a9dfd-ea69-4a53-6cb6-9d6b86474bba"
|
|
|
|
},
|
|
|
|
"lease_duration": 0,
|
|
|
|
"renewable": false,
|
|
|
|
"lease_id": "",
|
|
|
|
"request_id": "ef5c9b3f-e15e-0527-5457-79b4ecfe7b60"
|
|
|
|
}
|
2015-07-16 13:29:52 +00:00
|
|
|
```
|
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
This command creates a new secret ID under the `testrole`.
|
2015-07-16 13:29:52 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
```javascript
|
2016-10-28 13:23:05 +00:00
|
|
|
$ curl -X POST -H "X-Vault-Token:$VAULT_TOKEN" http://127.0.0.1:8200/v1/auth/approle/role/testrole/secret-id | jq .
|
2015-07-19 20:52:11 +00:00
|
|
|
```
|
2015-07-16 13:29:52 +00:00
|
|
|
|
2015-07-19 20:52:11 +00:00
|
|
|
```javascript
|
|
|
|
{
|
2016-10-28 05:24:25 +00:00
|
|
|
"auth": null,
|
|
|
|
"warnings": null,
|
|
|
|
"wrap_info": null,
|
|
|
|
"data": {
|
|
|
|
"secret_id_accessor": "45946873-1d96-a9d4-678c-9229f74386a5",
|
|
|
|
"secret_id": "37b74931-c4cd-d49a-9246-ccc62d682a25"
|
|
|
|
},
|
2015-07-19 20:52:11 +00:00
|
|
|
"lease_duration": 0,
|
2016-10-28 05:24:25 +00:00
|
|
|
"renewable": false,
|
|
|
|
"lease_id": "",
|
|
|
|
"request_id": "c98fa1c2-7565-fd45-d9de-0b43c307f2aa"
|
2015-07-19 20:52:11 +00:00
|
|
|
}
|
2015-07-16 13:29:52 +00:00
|
|
|
```
|
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
These two credentials can be supplied to the login endpoint to fetch a new
|
|
|
|
Vault token.
|
2015-07-19 20:52:11 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
```javascript
|
|
|
|
$ curl -X POST \
|
|
|
|
-d '{"role_id":"988a9dfd-ea69-4a53-6cb6-9d6b86474bba","secret_id":"37b74931-c4cd-d49a-9246-ccc62d682a25"}' \
|
2016-10-28 13:23:05 +00:00
|
|
|
http://127.0.0.1:8200/v1/auth/approle/login | jq .
|
2015-07-19 20:52:11 +00:00
|
|
|
```
|
2016-10-28 05:24:25 +00:00
|
|
|
|
|
|
|
```javascript
|
|
|
|
{
|
|
|
|
"auth": {
|
|
|
|
"renewable": true,
|
|
|
|
"lease_duration": 2764800,
|
|
|
|
"metadata": {},
|
|
|
|
"policies": [
|
|
|
|
"default",
|
|
|
|
"dev-policy",
|
|
|
|
"test-policy"
|
|
|
|
],
|
|
|
|
"accessor": "5d7fb475-07cb-4060-c2de-1ca3fcbf0c56",
|
|
|
|
"client_token": "98a4c7ab-b1fe-361b-ba0b-e307aacfd587"
|
|
|
|
},
|
|
|
|
"warnings": null,
|
|
|
|
"wrap_info": null,
|
|
|
|
"data": null,
|
|
|
|
"lease_duration": 0,
|
|
|
|
"renewable": false,
|
|
|
|
"lease_id": "",
|
|
|
|
"request_id": "988fb8db-ce3b-0167-0ac7-1a568b902d75"
|
|
|
|
}
|
2015-07-16 13:29:52 +00:00
|
|
|
```
|
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
The returned client token (`98a4c7ab-b1fe-361b-ba0b-e307aacfd587`) can now be
|
|
|
|
used to authenticate with Vault. This token will be authorized with specific
|
|
|
|
capabilities on all the resources encompassed by the policies `default`,
|
|
|
|
`dev-policy` and `test-policy`.
|
2015-07-19 20:52:11 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
The newly acquired token can be exported as a new `VAULT_TOKEN` and use it to
|
|
|
|
authenticate Vault requests.
|
|
|
|
|
|
|
|
```javascript
|
|
|
|
$ export VAULT_TOKEN="98a4c7ab-b1fe-361b-ba0b-e307aacfd587"
|
|
|
|
$ curl -X POST -H "X-Vault-Token:$VAULT_TOKEN" -d '{"bar":"baz"}' http://127.0.0.1:8200/v1/secret/foo
|
2015-07-16 13:29:52 +00:00
|
|
|
```
|
|
|
|
|
2016-10-11 20:07:48 +00:00
|
|
|
This will create a new secret named "foo" with the given JSON contents. We can
|
|
|
|
read this value back with the same token:
|
2015-07-16 13:29:52 +00:00
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
```javascript
|
|
|
|
$ curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" http://127.0.0.1:8200/v1/secret/foo | jq .
|
2015-07-19 20:52:11 +00:00
|
|
|
```
|
2015-07-19 19:29:06 +00:00
|
|
|
|
2015-07-19 20:52:11 +00:00
|
|
|
This should return a response like this:
|
2015-07-16 13:29:52 +00:00
|
|
|
|
2015-07-19 20:52:11 +00:00
|
|
|
```javascript
|
|
|
|
{
|
2016-10-28 05:24:25 +00:00
|
|
|
"auth": null,
|
|
|
|
"warnings": null,
|
|
|
|
"wrap_info": null,
|
2015-07-19 20:52:11 +00:00
|
|
|
"data": {
|
|
|
|
"bar": "baz"
|
|
|
|
},
|
2016-10-28 05:24:25 +00:00
|
|
|
"lease_duration": 2764800,
|
|
|
|
"renewable": false,
|
|
|
|
"lease_id": "",
|
|
|
|
"request_id": "5e246671-ec05-6fc8-9f93-4fe4512f34ab"
|
2015-07-19 20:52:11 +00:00
|
|
|
}
|
2015-07-16 13:29:52 +00:00
|
|
|
```
|
|
|
|
|
2016-10-11 20:07:48 +00:00
|
|
|
You can see the documentation on the [HTTP APIs](/docs/http/index.html) for
|
|
|
|
more details on other available endpoints.
|
2015-07-19 19:29:06 +00:00
|
|
|
|
|
|
|
Congratulations! You now know all the basics to get started with Vault.
|
|
|
|
|
|
|
|
## Next
|
|
|
|
|
2016-10-28 05:24:25 +00:00
|
|
|
Next, we have a page dedicated to [next
|
|
|
|
steps](/intro/getting-started/next-steps.html) depending on what you would like
|
|
|
|
to achieve.
|