open-vault/website/pages/guides/identity/authentication.mdx

665 lines
20 KiB
Plaintext
Raw Normal View History

2018-01-09 23:12:08 +00:00
---
layout: guides
page_title: AppRole Pull Authentication - Guides
sidebar_title: AppRole Pull Authentication
2018-01-09 23:12:08 +00:00
description: |-
Authentication is a process in Vault by which user or machine-supplied
information is verified to create a token with pre-configured policy.
---
# Authentication
Before a client can interact with Vault, it must authenticate against an [**auth
method**](/docs/auth) to acquire a token. This token has policies attached so
2018-01-09 23:12:08 +00:00
that the behavior of the client can be governed.
Since tokens are the core method for authentication within Vault, there is a
**token** auth method (often referred to as **_token store_**). This is a special
auth method responsible for creating and storing tokens.
2018-01-09 23:12:08 +00:00
### Auth Methods
2018-01-09 23:12:08 +00:00
Auth methods perform authentication to verify the user or machine-supplied
information. Some of the supported auth methods are targeted towards users
2018-01-09 23:12:08 +00:00
while others are targeted toward machines or apps. For example,
[**LDAP**](/docs/auth/ldap) auth method enables user authentication using
an existing LDAP server while [**AppRole**](/docs/auth/approle) auth
method is recommended for machines or apps.
2018-01-09 23:12:08 +00:00
The [Getting Started](/intro/getting-started/authentication) guide walks you
through how to enable the GitHub auth method for user authentication.
2018-01-09 23:12:08 +00:00
2018-01-23 02:14:23 +00:00
This introductory guide focuses on generating tokens for machines or apps by
enabling the [**AppRole**](/docs/auth/approle) auth method.
2018-01-09 23:12:08 +00:00
## Reference Material
- [AppRole Auth Method](/docs/auth/approle)
- [AppRole Auth Method (API)](/api/auth/approle)
- [Authenticating Applications with HashiCorp Vault AppRole](https://www.hashicorp.com/blog/authenticating-applications-with-vault-approle)
2018-01-09 23:12:08 +00:00
## Estimated Time to Complete
10 minutes
2018-01-19 01:40:35 +00:00
## Personas
The end-to-end scenario described in this guide involves two personas:
- **`admin`** with privileged permissions to configure an auth method
2018-01-19 01:40:35 +00:00
- **`app`** is the consumer of secrets stored in Vault
2018-01-10 19:14:59 +00:00
## Challenge
Think of a scenario where a DevOps team wants to configure Jenkins to read
2018-02-01 17:50:59 +00:00
secrets from Vault so that it can inject the secrets to an app's environment
2018-01-19 01:40:35 +00:00
variables (e.g. `MYSQL_DB_HOST`) at deployment time.
2018-01-18 01:39:21 +00:00
Instead of hardcoding secrets in each build script as plain text, Jenkins
2018-01-19 01:40:35 +00:00
retrieves secrets from Vault.
2018-01-18 01:39:21 +00:00
As a user, you can authenticate with Vault using your LDAP credentials, and
Vault generates a token. This token has policies granting you permission to perform
the appropriate operations.
2018-01-19 01:40:35 +00:00
How can a Jenkins server programmatically request a token so that it can read
secrets from Vault?
2018-01-10 19:14:59 +00:00
## Solution
Enable **AppRole** auth method so that the Jenkins server can obtain a Vault
2018-01-19 01:40:35 +00:00
token with appropriate policies attached. Since each AppRole has attached
policies, you can write fine-grained policies limiting which app can access
which path.
2018-01-19 01:40:35 +00:00
2018-01-09 23:12:08 +00:00
## Prerequisites
To perform the tasks described in this guide, you need to have a Vault
environment. Refer to the [Getting
Started](/intro/getting-started/install) guide to install Vault. Make sure
2018-01-19 01:40:35 +00:00
that your Vault server has been [initialized and
unsealed](/intro/getting-started/deploy).
2018-01-09 23:12:08 +00:00
### Policy requirements
2018-01-23 02:14:23 +00:00
-> **NOTE:** For the purpose of this guide, you can use the **`root`** token to work
2018-01-23 02:14:23 +00:00
with Vault. However, it is recommended that root tokens are only used for just
enough initial setup or in emergencies. As a best practice, use tokens with
an appropriate set of policies based on your role in the organization.
2018-01-23 02:14:23 +00:00
To perform all tasks demonstrated in this guide, your policy must include the
following permissions:
2018-01-19 01:40:35 +00:00
```shell
# Mount the AppRole auth method
2018-01-25 02:10:56 +00:00
path "sys/auth/approle" {
capabilities = [ "create", "read", "update", "delete", "sudo" ]
}
# Configure the AppRole auth method
2018-01-19 01:40:35 +00:00
path "sys/auth/approle/*" {
capabilities = [ "create", "read", "update", "delete" ]
}
# Create and manage roles
path "auth/approle/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
# Write ACL policies
path "sys/policy/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
# Write test data
# Set the path to "secret/data/mysql/*" if you are running `kv-v2`
2018-01-19 01:40:35 +00:00
path "secret/mysql/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
```
If you are not familiar with policies, complete the
[policies](/guides/identity/policies) guide.
2018-01-09 23:12:08 +00:00
## Steps
[AppRole](/docs/auth/approle) is an authentication mechanism within Vault
2018-01-23 02:14:23 +00:00
to allow machines or apps to acquire a token to interact with Vault. It uses
**Role ID** and **Secret ID** for login.
2018-01-10 19:14:59 +00:00
2018-01-23 02:14:23 +00:00
The basic workflow is:
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
![AppRole auth method workflow](/img/vault-approle-workflow.png)
2018-01-10 19:14:59 +00:00
2018-01-23 02:14:23 +00:00
> For the purpose of introducing the basics of AppRole, this guide walks you
2018-01-23 23:43:07 +00:00
> through a very simple scenario involving only two personas (admin and app).
> Please refer to the [Advanced Features](#advanced-features) section for
> further discussions after completing the following steps.
2018-01-23 02:14:23 +00:00
2018-01-10 19:14:59 +00:00
In this guide, you are going to perform the following steps:
2018-01-09 23:12:08 +00:00
1. [Enable AppRole auth method](#step1)
1. [Create a role with policy attached](#step2)
1. [Get Role ID and Secret ID](#step3)
1. [Login with Role ID & Secret ID](#step4)
1. [Read secrets using the AppRole token](#step5)
2018-01-19 01:40:35 +00:00
Step 1 through 3 need to be performed by an `admin` user. Step 4 and 5 describe
2018-01-19 01:40:35 +00:00
the commands that an `app` runs to get a token and read secrets from Vault.
2018-01-09 23:12:08 +00:00
### Step 1: Enable AppRole auth method ((#step1))
2018-01-19 01:40:35 +00:00
(**Persona:** admin)
2018-01-09 23:12:08 +00:00
Like many other auth methods, AppRole must be enabled before it can be used.
2018-01-09 23:12:08 +00:00
#### CLI command
Enable `approle` auth method by executing the following command:
2018-01-23 23:43:07 +00:00
```shell-session
$ vault auth enable approle
2018-01-09 23:12:08 +00:00
```
#### API call using cURL
Enable `approle` auth method by mounting its endpoint at `/sys/auth/approle`:
2018-01-18 01:39:21 +00:00
```shell-session
2018-01-23 02:14:23 +00:00
$ curl --header "X-Vault-Token: <TOKEN>" \
--request POST \
--data <PARAMETERS> \
<VAULT_ADDRESS>/v1/sys/auth/approle
```
2018-01-18 01:39:21 +00:00
2018-01-23 02:14:23 +00:00
Where `<TOKEN>` is your valid token, and `<PARAMETERS>` holds [configuration
parameters](/api/system/auth#enable-auth-method) of the method.
2018-01-18 01:39:21 +00:00
2018-01-23 02:14:23 +00:00
**Example:**
2018-01-09 23:12:08 +00:00
```shell-session
2018-01-23 02:14:23 +00:00
$ curl --header "X-Vault-Token: ..." \
--request POST \
--data '{"type": "approle"}' \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/auth/approle
2018-01-09 23:12:08 +00:00
```
The above example passes the **type** (`approle`) in the request payload
2018-01-23 02:14:23 +00:00
at the `sys/auth/approle` endpoint.
2018-01-09 23:12:08 +00:00
### Step 2: Create a role with policy attached ((#step2))
2018-01-19 01:40:35 +00:00
(**Persona:** admin)
2018-01-09 23:12:08 +00:00
When you enabled the AppRole auth method, it gets mounted at the
2018-01-09 23:12:08 +00:00
**`/auth/approle`** path. In this example, you are going to create a role for
the **`app`** persona (`jenkins` in our scenario).
2018-01-09 23:12:08 +00:00
2018-01-23 02:14:23 +00:00
The scenario in this guide requires the `app` to have the
2018-01-19 01:40:35 +00:00
following policy (`jenkins-pol.hcl`):
```shell
# Login with AppRole
path "auth/approle/login" {
capabilities = [ "create", "read" ]
}
# Read test data
# Set the path to "secret/data/mysql/*" if you are running `kv-v2`
2018-01-19 01:40:35 +00:00
path "secret/mysql/*" {
capabilities = [ "read" ]
}
2018-01-19 01:40:35 +00:00
```
2018-01-18 01:39:21 +00:00
2018-01-09 23:12:08 +00:00
#### CLI command
Before creating a role, create a `jenkins` policy:
2018-01-19 01:40:35 +00:00
```shell-session
$ vault policy write jenkins jenkins-pol.hcl
2018-01-19 01:40:35 +00:00
```
The command to create a new AppRole:
2018-01-09 23:12:08 +00:00
```shell-session
2018-01-23 23:43:07 +00:00
$ vault write auth/approle/role/<ROLE_NAME> [parameters]
2018-01-09 23:12:08 +00:00
```
2018-01-23 23:43:07 +00:00
> There are a number of
> [parameters](/api/auth/approle#create-update-approle) that you can set
2018-01-23 23:43:07 +00:00
> on a role. If you want to limit the use of the generated secret ID, set
> `secret_id_num_uses` or `secret_id_ttl` parameter values. Similarly, you can
> specify `token_num_uses` and `token_ttl`. You may never want the app token to
> expire. In such a case, specify the `period` so that the token generated by
> this AppRole is a periodic token. To learn more about periodic token, refer to
> the [Tokens and Leases](/guides/identity/lease#step4) guide.
2018-01-09 23:12:08 +00:00
**Example:**
2018-01-19 01:40:35 +00:00
The following example creates a role named `jenkins` with `jenkins` policy
attached. (NOTE: This example creates a role operates in [**pull**
mode](/docs/auth/approle).)
2018-01-09 23:12:08 +00:00
```shell-session
2018-01-19 01:40:35 +00:00
$ vault write auth/approle/role/jenkins policies="jenkins"
2018-01-09 23:12:08 +00:00
2018-01-23 02:14:23 +00:00
# Read the jenkins role
2018-01-09 23:12:08 +00:00
$ vault read auth/approle/role/jenkins
Key Value
--- -----
bind_secret_id true
bound_cidr_list
period 0
2018-01-19 01:40:35 +00:00
policies [jenkins]
2018-01-09 23:12:08 +00:00
secret_id_num_uses 0
secret_id_ttl 0
token_max_ttl 0
token_num_uses 0
token_ttl 0
```
2018-01-19 01:40:35 +00:00
**NOTE:** To attach multiple policies, pass the policy names as a comma
separated string.
```shell-session
2018-01-23 02:14:23 +00:00
$ vault write auth/approle/role/jenkins policies="jenkins,anotherpolicy"
```
2018-01-09 23:12:08 +00:00
#### API call using cURL
2018-01-19 01:40:35 +00:00
Before creating a role, create `jenkins` policy:
```shell-session
2018-01-23 02:14:23 +00:00
$ curl --header "X-Vault-Token: ..." --request PUT --data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/policy/jenkins
2018-01-19 01:40:35 +00:00
$ cat payload.json
{
"policy": "path \"auth/approle/login\" { capabilities = [ \"create\", \"read\" ] } ... }"
}
```
2018-01-23 23:43:07 +00:00
Now, you are ready to create a role.
2018-01-19 01:40:35 +00:00
2018-01-09 23:12:08 +00:00
**Example:**
The following example creates a role named `jenkins` with a `jenkins` policy
attached. (NOTE: This example creates a role which operates in [**pull**
mode](/docs/auth/approle).)
2018-01-19 01:40:35 +00:00
```shell-session
2018-01-23 02:14:23 +00:00
$ curl --header "X-Vault-Token: ..." --request POST \
--data '{"policies":"jenkins"}' \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/approle/role/jenkins
2018-01-23 23:43:07 +00:00
```
2018-01-19 01:40:35 +00:00
2018-01-23 23:43:07 +00:00
> There are a number of
> [parameters](/api/auth/approle#create-update-approle) that you can set
2018-01-23 23:43:07 +00:00
> on a role. If you want to limit the use of the generated secret ID, set
> `secret_id_num_uses` or `secret_id_ttl` parameter values. Similarly, you can
> specify `token_num_uses` and `token_ttl`. You may never want the app token to
> expire. In such a case, specify the `period` so that the token generated by
> this AppRole is a periodic token. To learn more about periodic tokens, refer to
> the [Tokens and Leases](/guides/identity/lease#step4) guide.
2018-01-19 01:40:35 +00:00
2018-01-23 23:43:07 +00:00
**NOTE:** To attach multiple policies, pass the policy names as a comma
separated string.
```shell-session
2018-01-23 23:43:07 +00:00
$ curl --header "X-Vault-Token:..."
--request POST \
--data '{"policies":"jenkins,anotherpolicy"}' \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/approle/role/jenkins
```
2018-01-23 23:43:07 +00:00
To read the jenkins role you just created:
```shell-session
2018-01-23 02:14:23 +00:00
$ curl --header "X-Vault-Token: ..." --request GET \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/approle/role/jenkins | jq
2018-01-19 01:40:35 +00:00
{
"request_id": "b18054ad-1ab5-8d83-eeed-193d97026ee7",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"bind_secret_id": true,
"bound_cidr_list": "",
"period": 0,
"policies": [
"jenkins"
],
"secret_id_num_uses": 0,
"secret_id_ttl": 0,
"token_max_ttl": 0,
"token_num_uses": 0,
"token_ttl": 0
},
"wrap_info": null,
"warnings": null,
"auth": null
}
2018-01-09 23:12:08 +00:00
```
### Step 3: Get Role ID and Secret ID ((#step3))
2018-01-19 01:40:35 +00:00
(**Persona:** admin)
2018-01-09 23:12:08 +00:00
2018-02-01 17:50:59 +00:00
**Role ID** and **Secret ID** are like a username and password that a machine or
2018-01-23 23:43:07 +00:00
app uses to authenticate.
2018-01-23 02:14:23 +00:00
2018-01-10 19:14:59 +00:00
Since the example created a `jenkins` role which operates in pull mode, Vault
2018-01-23 23:43:07 +00:00
will generate the Secret ID. You can set properties such as usage-limit, TTLs,
and expirations on the secret IDs to control its lifecycle.
2018-01-09 23:12:08 +00:00
#### CLI command
Now, you need to fetch the Role ID and Secret ID of a role.
2018-01-23 23:43:07 +00:00
To read the Role ID:
2018-01-23 02:14:23 +00:00
```shell-session
2018-01-23 02:14:23 +00:00
$ vault read auth/approle/role/<ROLE_NAME>/role-id
```
2018-01-23 23:43:07 +00:00
To generate a new Secret ID:
2018-01-23 02:14:23 +00:00
```shell-session
2018-01-23 02:14:23 +00:00
$ vault write -f auth/approle/role/<ROLE_NAME>/secret-id
```
2018-01-23 23:43:07 +00:00
NOTE: The `-f` flag forces the `write` operation to continue without any data
values specified. Alternatively, you can set
[parameters](/api/auth/approle#generate-new-secret-id) such as
2018-01-23 23:43:07 +00:00
`cidr_list`.
2018-01-23 02:14:23 +00:00
2018-01-09 23:12:08 +00:00
**Example:**
```shell-session
2018-01-09 23:12:08 +00:00
$ vault read auth/approle/role/jenkins/role-id
Key Value
--- -----
role_id 675a50e7-cfe0-be76-e35f-49ec009731ea
$ vault write -f auth/approle/role/jenkins/secret-id
Key Value
--- -----
secret_id ed0a642f-2acf-c2da-232f-1b21300d5f29
secret_id_accessor a240a31f-270a-4765-64bd-94ba1f65703c
```
2018-01-23 23:43:07 +00:00
If you specified `secret_id_ttl`, `secret_id_num_uses`, or `bound_cidr_list` on
the role in [Step 2](#step2), the generated secret ID carries out the conditions.
2018-01-09 23:12:08 +00:00
#### API call using cURL
2018-01-23 23:43:07 +00:00
To read the Role ID:
2018-01-09 23:12:08 +00:00
```shell-session
2018-01-23 02:14:23 +00:00
$ curl --header "X-Vault-Token:..." \
--request GET \
<VAULT_ADDRESS>/v1/auth/approle/role/<ROLE_NAME>/role-id
```
2018-01-09 23:12:08 +00:00
2018-01-23 23:43:07 +00:00
To generate a new Secret ID:
2018-01-23 02:14:23 +00:00
```shell-session
2018-01-23 02:14:23 +00:00
$ curl --header "X-Vault-Token:..." \
--request POST \
2018-01-23 23:43:07 +00:00
--data <PARAMETERS>
2018-01-23 02:14:23 +00:00
<VAULT_ADDRESS>/v1/auth/approle/role/<ROLE_NAME>/secret-id
2018-01-09 23:12:08 +00:00
```
2018-01-23 23:43:07 +00:00
You can pass
[parameters](/api/auth/approle#generate-new-secret-id) in the request
payload, or invoke the API with an empty payload.
2018-01-23 23:43:07 +00:00
2018-01-23 02:14:23 +00:00
**Example:**
```shell-session
2018-01-23 02:14:23 +00:00
$ curl --header "X-Vault-Token:..." --request GET \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/approle/role/jenkins/role-id | jq
2018-01-09 23:12:08 +00:00
2018-01-23 02:14:23 +00:00
$ curl --header "X-Vault-Token:..." --request POST \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/approle/role/jenkins/secret-id | jq
2018-01-09 23:12:08 +00:00
```
2018-01-23 23:43:07 +00:00
If you specified `secret_id_ttl`, `secret_id_num_uses`, or `bound_cidr_list` on
the role in [Step 2](#step2), the generated secret ID carries out the conditions.
### Step 4: Login with Role ID & Secret ID ((#step4))
2018-01-19 01:40:35 +00:00
(**Persona:** app)
2018-01-09 23:12:08 +00:00
2018-01-23 23:43:07 +00:00
The client (in this case, Jenkins) uses the role ID and secret ID passed by the
admin to authenticate with Vault. If Jenkins did not receive the role ID and/or
2018-01-23 02:14:23 +00:00
secret ID, the admin needs to investigate.
2018-01-09 23:12:08 +00:00
2018-01-23 02:14:23 +00:00
-> Refer to the [Advanced Features](#advanced-features) section for further
discussion on distributing the role ID and secret ID to the client app
securely.
2018-01-19 01:40:35 +00:00
2018-01-09 23:12:08 +00:00
#### CLI command
To login, use the `auth/approle/login` endpoint by passing the role ID and secret ID.
2018-01-23 02:14:23 +00:00
2018-01-09 23:12:08 +00:00
**Example:**
```shell-session
2018-01-23 02:14:23 +00:00
$ vault write auth/approle/login role_id="675a50e7-cfe0-be76-e35f-49ec009731ea" \
2018-01-09 23:12:08 +00:00
secret_id="ed0a642f-2acf-c2da-232f-1b21300d5f29"
Key Value
--- -----
token eeaf890e-4b0f-a687-4190-c75b1d6d70bc
token_accessor fcee5d4e-7281-8bb0-2901-e743c52e0502
token_duration 768h0m0s
token_renewable true
2018-01-19 01:40:35 +00:00
token_policies [jenkins]
2018-01-09 23:12:08 +00:00
token_meta_role_name "jenkins"
```
2018-01-23 23:43:07 +00:00
Now you have a **client token** with `default` and `jenkins` policies attached.
2018-01-19 01:40:35 +00:00
2018-01-09 23:12:08 +00:00
#### API call using cURL
To login, use the `auth/approle/login` endpoint by passing the role ID and secret ID
2018-01-23 02:14:23 +00:00
in the request payload.
2018-01-09 23:12:08 +00:00
**Example:**
```shell-session
2018-01-23 23:43:07 +00:00
$ cat payload.json
2018-01-09 23:12:08 +00:00
{
"role_id": "675a50e7-cfe0-be76-e35f-49ec009731ea",
"secret_id": "ed0a642f-2acf-c2da-232f-1b21300d5f29"
}
2018-03-23 15:41:51 +00:00
$ curl --request POST --data @payload.json http://127.0.0.1:8200/v1/auth/approle/login | jq
2018-01-19 01:40:35 +00:00
{
"request_id": "fccae32b-1e6a-9a9c-7666-f5cb07805c1e",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": null,
"auth": {
"client_token": "eeaf890e-4b0f-a687-4190-c75b1d6d70bc",
"accessor": "fcee5d4e-7281-8bb0-2901-e743c52e0502",
2018-01-19 01:40:35 +00:00
"policies": [
"default",
"jenkins"
],
"metadata": {
"role_name": "jenkins"
},
"lease_duration": 2764800,
"renewable": true,
"entity_id": "54e0b765-6daf-0ff5-70b9-32c0d491f473"
}
}
2018-01-09 23:12:08 +00:00
```
2018-01-23 23:43:07 +00:00
Now you have a **client token** with `default` and `jenkins` policies attached.
2018-01-19 01:40:35 +00:00
### Step 5: Read secrets using the AppRole token ((#step5))
2018-01-19 01:40:35 +00:00
(**Persona:** app)
2018-01-23 23:43:07 +00:00
Once receiving a token from Vault, the client can make future requests using
this token.
2018-01-10 19:14:59 +00:00
2018-01-19 01:40:35 +00:00
#### CLI command
**Example:**
You can pass the `client_token` returned in [Step 4](#step4) as a part of the
CLI command.
```shell-session
$ VAULT_TOKEN=3e7dd0ac-8b3e-8f88-bb37-a2890455ca6e vault kv get secret/mysql/webapp
2018-01-19 01:40:35 +00:00
No value found at secret/mysql/webapp
```
Alternatively, you can first authenticate with Vault using the `client_token`.
```shell-session
$ vault login eeaf890e-4b0f-a687-4190-c75b1d6d70bc
2018-01-19 01:40:35 +00:00
Successfully authenticated! You are now logged in.
token: eeaf890e-4b0f-a687-4190-c75b1d6d70bc
2018-01-19 01:40:35 +00:00
token_duration: 2762013
token_policies: [default jenkins]
$ vault kv get secret/mysql/webapp
2018-01-19 01:40:35 +00:00
No value found at secret/mysql/webapp
```
Since there is no value at `secret/mysql/webapp`, it returns a "no value
2018-01-19 01:40:35 +00:00
found" message.
**Optional:** Using the `admin` user's token, you can store some secrets in the
`secret/mysql/webapp` path.
2018-01-19 01:40:35 +00:00
```shell-session
$ vault kv put secret/mysql/webapp @mysqldb.txt
2018-01-19 01:40:35 +00:00
$ cat mysqldb.txt
{
"url": "foo.example.com:35533",
"db_name": "users",
"username": "admin",
"password": "pa$$w0rd"
}
```
Now, try to read secrets from `secret/mysql/webapp` using the `client_token` again.
2018-01-19 01:40:35 +00:00
This time, it should return the values you just created.
#### API call using cURL
You can now pass the `client_token` returned in [Step 4](#step4) in the
**`X-Vault-Token`** or **`Authorization`** header.
2018-01-19 01:40:35 +00:00
**Example:**
```shell-session
$ curl --header "X-Vault-Token: eeaf890e-4b0f-a687-4190-c75b1d6d70bc" \
2018-01-23 02:14:23 +00:00
--request GET \
http://127.0.0.1:8200/v1/secret/data/mysql/webapp | jq
2018-01-19 01:40:35 +00:00
{
"errors": []
}
```
Since there is no value at `secret/mysql/webapp`, it returns an empty array.
2018-01-19 01:40:35 +00:00
2018-01-23 02:14:23 +00:00
**Optional:** Using the **`admin`** user's token, create some secrets in the
`secret/mysql/webapp` path.
2018-01-19 01:40:35 +00:00
```shell-session
2018-01-23 02:14:23 +00:00
$ curl --header "X-Vault-Token: ..." --request POST --data @mysqldb.txt \
2018-01-19 01:40:35 +00:00
$ cat mysqldb.text
{
"url": "foo.example.com:35533",
"db_name": "users",
"username": "admin",
"password": "p@ssw0rd"
}
```
Now, try to read secrets from `secret/mysql/webapp` using the `client_token` again.
2018-01-19 01:40:35 +00:00
This time, it should return the values you just created.
2018-01-18 01:39:21 +00:00
## Advanced Features
2018-01-09 23:12:08 +00:00
2018-01-23 02:14:23 +00:00
The Role ID is equivalent to a username, and Secret ID is the corresponding
2018-01-23 23:43:07 +00:00
password. The app needs both to log in with Vault. Naturally, the next question
becomes how to deliver those values to the expected client.
2018-01-23 02:14:23 +00:00
2018-01-23 23:43:07 +00:00
A common solution involves **three personas** instead of two: `admin`, `app`, and
`trusted entity`. The `trusted entity` delivers the Role ID and Secret ID to the
client by separate means.
2018-01-09 23:12:08 +00:00
2018-02-01 17:50:59 +00:00
For example, Terraform as a trusted entity can deliver the Role ID onto the
virtual machine. When the app runs on the virtual machine, the Role ID already
2018-02-01 17:50:59 +00:00
exists on the virtual machine.
2018-01-23 02:14:23 +00:00
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
![AppRole auth method workflow](/img/vault-approle-workflow2.png)
2018-01-23 23:43:07 +00:00
The secret ID can be delivered using [**response
wrapping**](/docs/concepts/response-wrapping) to transmit the _reference_
to the secret ID rather than the actual value.
2018-01-23 02:14:23 +00:00
In [Step 3](#step3), you executed the following command to retrieve the Secret
2018-01-10 19:14:59 +00:00
ID:
2018-01-09 23:12:08 +00:00
```shell-session
2018-01-23 02:14:23 +00:00
$ vault write -f auth/approle/role/jenkins/secret-id
2018-01-09 23:12:08 +00:00
```
2018-01-23 02:14:23 +00:00
Instead, use response wrapping by passing the **`-wrap-ttl`** parameter:
2018-01-09 23:12:08 +00:00
```shell-session
2018-01-23 02:14:23 +00:00
$ vault write -wrap-ttl=60s -f auth/approle/role/jenkins/secret-id
2018-01-09 23:12:08 +00:00
Key Value
--- -----
wrapping_token: 9bbe23b7-5f8c-2aec-83dc-e97e94a2e632
wrapping_accessor: cb5bdc8f-0cdb-35ff-0e68-9de57a79c3bf
wrapping_token_ttl: 1m0s
wrapping_token_creation_time: 2018-01-08 21:29:38.826611 -0800 PST
wrapping_token_creation_path: auth/approle/role/jenkins/secret-id
```
Send this `wrapping_token` to the client so that the response can be unwrapped and
2018-01-23 02:14:23 +00:00
obtain the Secret ID.
2018-01-09 23:12:08 +00:00
```shell-session
2018-01-23 02:14:23 +00:00
$ VAULT_TOKEN=9bbe23b7-5f8c-2aec-83dc-e97e94a2e632 vault unwrap
2018-01-09 23:12:08 +00:00
Key Value
--- -----
secret_id 575f23e4-01ad-25f7-2661-9c9bdbb1cf81
secret_id_accessor 7d8a40b7-a6fd-a634-579b-b7d673ff86fb
```
NOTE: To retrieve the Secret ID alone, you can use `jq` as follows:
2018-01-09 23:12:08 +00:00
```shell-session
2018-01-23 02:14:23 +00:00
$ VAULT_TOKEN=2577044d-cf86-a065-e28f-e2a14ea6eaf7 vault unwrap -format=json | jq -r ".data.secret_id"
2018-01-09 23:12:08 +00:00
b07d7a47-1d0d-741d-20b4-ae0de7c6d964
```
## Next steps
Read the [_AppRole with Terraform and
Chef_](/guides/identity/approle-trusted-entities) guide to better
understand the role of trusted entities using Terraform and Chef as an example.
To learn more about response wrapping, go to the [Cubbyhole Response
Wrapping](/guides/secret-mgmt/cubbyhole) guide.