2018-01-09 23:12:08 +00:00
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
layout: guides
|
|
|
|
page_title: AppRole Pull Authentication - Guides
|
|
|
|
sidebar_title: AppRole Pull Authentication
|
2018-01-09 23:12:08 +00:00
|
|
|
description: |-
|
|
|
|
Authentication is a process in Vault by which user or machine-supplied
|
|
|
|
information is verified to create a token with pre-configured policy.
|
|
|
|
---
|
|
|
|
|
|
|
|
# Authentication
|
|
|
|
|
|
|
|
Before a client can interact with Vault, it must authenticate against an [**auth
|
2020-01-22 20:05:41 +00:00
|
|
|
method**](/docs/auth) to acquire a token. This token has policies attached so
|
2018-01-09 23:12:08 +00:00
|
|
|
that the behavior of the client can be governed.
|
|
|
|
|
|
|
|
Since tokens are the core method for authentication within Vault, there is a
|
2018-03-16 00:16:59 +00:00
|
|
|
**token** auth method (often referred to as **_token store_**). This is a special
|
|
|
|
auth method responsible for creating and storing tokens.
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
### Auth Methods
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
Auth methods perform authentication to verify the user or machine-supplied
|
|
|
|
information. Some of the supported auth methods are targeted towards users
|
2018-01-09 23:12:08 +00:00
|
|
|
while others are targeted toward machines or apps. For example,
|
2020-01-22 20:05:41 +00:00
|
|
|
[**LDAP**](/docs/auth/ldap) auth method enables user authentication using
|
|
|
|
an existing LDAP server while [**AppRole**](/docs/auth/approle) auth
|
2018-03-16 00:16:59 +00:00
|
|
|
method is recommended for machines or apps.
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2020-01-22 20:05:41 +00:00
|
|
|
The [Getting Started](/intro/getting-started/authentication) guide walks you
|
2018-03-16 00:16:59 +00:00
|
|
|
through how to enable the GitHub auth method for user authentication.
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-01-23 02:14:23 +00:00
|
|
|
This introductory guide focuses on generating tokens for machines or apps by
|
2020-01-22 20:05:41 +00:00
|
|
|
enabling the [**AppRole**](/docs/auth/approle) auth method.
|
2018-01-09 23:12:08 +00:00
|
|
|
|
|
|
|
## Reference Material
|
|
|
|
|
2020-01-22 20:05:41 +00:00
|
|
|
- [AppRole Auth Method](/docs/auth/approle)
|
|
|
|
- [AppRole Auth Method (API)](/api/auth/approle)
|
2018-03-16 00:16:59 +00:00
|
|
|
- [Authenticating Applications with HashiCorp Vault AppRole](https://www.hashicorp.com/blog/authenticating-applications-with-vault-approle)
|
|
|
|
|
2018-01-09 23:12:08 +00:00
|
|
|
## Estimated Time to Complete
|
|
|
|
|
|
|
|
10 minutes
|
|
|
|
|
2018-01-19 01:40:35 +00:00
|
|
|
## Personas
|
|
|
|
|
|
|
|
The end-to-end scenario described in this guide involves two personas:
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
- **`admin`** with privileged permissions to configure an auth method
|
2018-01-19 01:40:35 +00:00
|
|
|
- **`app`** is the consumer of secrets stored in Vault
|
|
|
|
|
2018-01-10 19:14:59 +00:00
|
|
|
## Challenge
|
|
|
|
|
|
|
|
Think of a scenario where a DevOps team wants to configure Jenkins to read
|
2018-02-01 17:50:59 +00:00
|
|
|
secrets from Vault so that it can inject the secrets to an app's environment
|
2018-01-19 01:40:35 +00:00
|
|
|
variables (e.g. `MYSQL_DB_HOST`) at deployment time.
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
Instead of hardcoding secrets in each build script as plain text, Jenkins
|
2018-01-19 01:40:35 +00:00
|
|
|
retrieves secrets from Vault.
|
2018-01-18 01:39:21 +00:00
|
|
|
|
|
|
|
As a user, you can authenticate with Vault using your LDAP credentials, and
|
2018-03-16 00:16:59 +00:00
|
|
|
Vault generates a token. This token has policies granting you permission to perform
|
|
|
|
the appropriate operations.
|
2018-01-19 01:40:35 +00:00
|
|
|
|
|
|
|
How can a Jenkins server programmatically request a token so that it can read
|
2018-09-28 21:43:15 +00:00
|
|
|
secrets from Vault?
|
2018-01-10 19:14:59 +00:00
|
|
|
|
|
|
|
## Solution
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
Enable **AppRole** auth method so that the Jenkins server can obtain a Vault
|
2018-01-19 01:40:35 +00:00
|
|
|
token with appropriate policies attached. Since each AppRole has attached
|
|
|
|
policies, you can write fine-grained policies limiting which app can access
|
2018-09-28 21:43:15 +00:00
|
|
|
which path.
|
2018-01-19 01:40:35 +00:00
|
|
|
|
2018-01-09 23:12:08 +00:00
|
|
|
## Prerequisites
|
|
|
|
|
|
|
|
To perform the tasks described in this guide, you need to have a Vault
|
2020-01-18 00:18:09 +00:00
|
|
|
environment. Refer to the [Getting
|
2020-01-22 20:05:41 +00:00
|
|
|
Started](/intro/getting-started/install) guide to install Vault. Make sure
|
2018-01-19 01:40:35 +00:00
|
|
|
that your Vault server has been [initialized and
|
2020-01-22 20:05:41 +00:00
|
|
|
unsealed](/intro/getting-started/deploy).
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-01-25 00:01:44 +00:00
|
|
|
### Policy requirements
|
2018-01-23 02:14:23 +00:00
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
-> **NOTE:** For the purpose of this guide, you can use the **`root`** token to work
|
2018-01-23 02:14:23 +00:00
|
|
|
with Vault. However, it is recommended that root tokens are only used for just
|
|
|
|
enough initial setup or in emergencies. As a best practice, use tokens with
|
2018-03-16 00:16:59 +00:00
|
|
|
an appropriate set of policies based on your role in the organization.
|
2018-01-23 02:14:23 +00:00
|
|
|
|
2018-01-25 00:01:44 +00:00
|
|
|
To perform all tasks demonstrated in this guide, your policy must include the
|
|
|
|
following permissions:
|
2018-01-19 01:40:35 +00:00
|
|
|
|
|
|
|
```shell
|
2018-03-16 00:16:59 +00:00
|
|
|
# Mount the AppRole auth method
|
2018-01-25 02:10:56 +00:00
|
|
|
path "sys/auth/approle" {
|
|
|
|
capabilities = [ "create", "read", "update", "delete", "sudo" ]
|
|
|
|
}
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
# Configure the AppRole auth method
|
2018-01-19 01:40:35 +00:00
|
|
|
path "sys/auth/approle/*" {
|
|
|
|
capabilities = [ "create", "read", "update", "delete" ]
|
|
|
|
}
|
|
|
|
|
|
|
|
# Create and manage roles
|
|
|
|
path "auth/approle/*" {
|
|
|
|
capabilities = [ "create", "read", "update", "delete", "list" ]
|
|
|
|
}
|
|
|
|
|
|
|
|
# Write ACL policies
|
|
|
|
path "sys/policy/*" {
|
|
|
|
capabilities = [ "create", "read", "update", "delete", "list" ]
|
|
|
|
}
|
|
|
|
|
|
|
|
# Write test data
|
2018-08-02 15:38:51 +00:00
|
|
|
# Set the path to "secret/data/mysql/*" if you are running `kv-v2`
|
2018-01-19 01:40:35 +00:00
|
|
|
path "secret/mysql/*" {
|
|
|
|
capabilities = [ "create", "read", "update", "delete", "list" ]
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
If you are not familiar with policies, complete the
|
2020-01-22 20:05:41 +00:00
|
|
|
[policies](/guides/identity/policies) guide.
|
2018-01-09 23:12:08 +00:00
|
|
|
|
|
|
|
## Steps
|
|
|
|
|
2020-01-22 20:05:41 +00:00
|
|
|
[AppRole](/docs/auth/approle) is an authentication mechanism within Vault
|
2018-01-23 02:14:23 +00:00
|
|
|
to allow machines or apps to acquire a token to interact with Vault. It uses
|
|
|
|
**Role ID** and **Secret ID** for login.
|
2018-01-10 19:14:59 +00:00
|
|
|
|
2018-01-23 02:14:23 +00:00
|
|
|
The basic workflow is:
|
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
|
|
|
![AppRole auth method workflow](/img/vault-approle-workflow.png)
|
2018-01-10 19:14:59 +00:00
|
|
|
|
2018-01-23 02:14:23 +00:00
|
|
|
> For the purpose of introducing the basics of AppRole, this guide walks you
|
2018-01-23 23:43:07 +00:00
|
|
|
> through a very simple scenario involving only two personas (admin and app).
|
|
|
|
> Please refer to the [Advanced Features](#advanced-features) section for
|
|
|
|
> further discussions after completing the following steps.
|
2018-01-23 02:14:23 +00:00
|
|
|
|
2018-01-10 19:14:59 +00:00
|
|
|
In this guide, you are going to perform the following steps:
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
1. [Enable AppRole auth method](#step1)
|
|
|
|
1. [Create a role with policy attached](#step2)
|
|
|
|
1. [Get Role ID and Secret ID](#step3)
|
|
|
|
1. [Login with Role ID & Secret ID](#step4)
|
|
|
|
1. [Read secrets using the AppRole token](#step5)
|
2018-01-19 01:40:35 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
Step 1 through 3 need to be performed by an `admin` user. Step 4 and 5 describe
|
2018-01-19 01:40:35 +00:00
|
|
|
the commands that an `app` runs to get a token and read secrets from Vault.
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
### Step 1: Enable AppRole auth method ((#step1))
|
2020-01-18 00:18:09 +00:00
|
|
|
|
2018-01-19 01:40:35 +00:00
|
|
|
(**Persona:** admin)
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
Like many other auth methods, AppRole must be enabled before it can be used.
|
2018-01-09 23:12:08 +00:00
|
|
|
|
|
|
|
#### CLI command
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
Enable `approle` auth method by executing the following command:
|
2018-01-23 23:43:07 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-30 18:46:27 +00:00
|
|
|
$ vault auth enable approle
|
2018-01-09 23:12:08 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
#### API call using cURL
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
Enable `approle` auth method by mounting its endpoint at `/sys/auth/approle`:
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ curl --header "X-Vault-Token: <TOKEN>" \
|
|
|
|
--request POST \
|
|
|
|
--data <PARAMETERS> \
|
|
|
|
<VAULT_ADDRESS>/v1/sys/auth/approle
|
|
|
|
```
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 02:14:23 +00:00
|
|
|
Where `<TOKEN>` is your valid token, and `<PARAMETERS>` holds [configuration
|
2020-01-22 20:05:41 +00:00
|
|
|
parameters](/api/system/auth#enable-auth-method) of the method.
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 02:14:23 +00:00
|
|
|
**Example:**
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ curl --header "X-Vault-Token: ..." \
|
|
|
|
--request POST \
|
|
|
|
--data '{"type": "approle"}' \
|
2018-03-23 15:41:51 +00:00
|
|
|
http://127.0.0.1:8200/v1/sys/auth/approle
|
2018-01-09 23:12:08 +00:00
|
|
|
```
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
The above example passes the **type** (`approle`) in the request payload
|
2018-01-23 02:14:23 +00:00
|
|
|
at the `sys/auth/approle` endpoint.
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
### Step 2: Create a role with policy attached ((#step2))
|
2020-01-18 00:18:09 +00:00
|
|
|
|
2018-01-19 01:40:35 +00:00
|
|
|
(**Persona:** admin)
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
When you enabled the AppRole auth method, it gets mounted at the
|
2018-01-09 23:12:08 +00:00
|
|
|
**`/auth/approle`** path. In this example, you are going to create a role for
|
2018-03-16 00:16:59 +00:00
|
|
|
the **`app`** persona (`jenkins` in our scenario).
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-01-23 02:14:23 +00:00
|
|
|
The scenario in this guide requires the `app` to have the
|
2018-01-19 01:40:35 +00:00
|
|
|
following policy (`jenkins-pol.hcl`):
|
|
|
|
|
|
|
|
```shell
|
|
|
|
# Login with AppRole
|
|
|
|
path "auth/approle/login" {
|
|
|
|
capabilities = [ "create", "read" ]
|
|
|
|
}
|
|
|
|
|
|
|
|
# Read test data
|
2018-08-02 15:38:51 +00:00
|
|
|
# Set the path to "secret/data/mysql/*" if you are running `kv-v2`
|
2018-01-19 01:40:35 +00:00
|
|
|
path "secret/mysql/*" {
|
|
|
|
capabilities = [ "read" ]
|
|
|
|
}
|
2018-08-02 15:38:51 +00:00
|
|
|
|
2018-01-19 01:40:35 +00:00
|
|
|
```
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-09 23:12:08 +00:00
|
|
|
#### CLI command
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
Before creating a role, create a `jenkins` policy:
|
2018-01-19 01:40:35 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-30 18:46:27 +00:00
|
|
|
$ vault policy write jenkins jenkins-pol.hcl
|
2018-01-19 01:40:35 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
The command to create a new AppRole:
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 23:43:07 +00:00
|
|
|
$ vault write auth/approle/role/<ROLE_NAME> [parameters]
|
2018-01-09 23:12:08 +00:00
|
|
|
```
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
> There are a number of
|
2020-03-31 19:21:16 +00:00
|
|
|
> [parameters](/api/auth/approle#create-update-approle) that you can set
|
2018-01-23 23:43:07 +00:00
|
|
|
> on a role. If you want to limit the use of the generated secret ID, set
|
|
|
|
> `secret_id_num_uses` or `secret_id_ttl` parameter values. Similarly, you can
|
|
|
|
> specify `token_num_uses` and `token_ttl`. You may never want the app token to
|
2020-01-18 00:18:09 +00:00
|
|
|
> expire. In such a case, specify the `period` so that the token generated by
|
|
|
|
> this AppRole is a periodic token. To learn more about periodic token, refer to
|
2020-01-22 20:05:41 +00:00
|
|
|
> the [Tokens and Leases](/guides/identity/lease#step4) guide.
|
2018-01-09 23:12:08 +00:00
|
|
|
|
|
|
|
**Example:**
|
|
|
|
|
2018-01-19 01:40:35 +00:00
|
|
|
The following example creates a role named `jenkins` with `jenkins` policy
|
|
|
|
attached. (NOTE: This example creates a role operates in [**pull**
|
2020-01-22 20:05:41 +00:00
|
|
|
mode](/docs/auth/approle).)
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-19 01:40:35 +00:00
|
|
|
$ vault write auth/approle/role/jenkins policies="jenkins"
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-01-23 02:14:23 +00:00
|
|
|
# Read the jenkins role
|
2018-01-09 23:12:08 +00:00
|
|
|
$ vault read auth/approle/role/jenkins
|
|
|
|
|
|
|
|
Key Value
|
|
|
|
--- -----
|
|
|
|
bind_secret_id true
|
|
|
|
bound_cidr_list
|
|
|
|
period 0
|
2018-01-19 01:40:35 +00:00
|
|
|
policies [jenkins]
|
2018-01-09 23:12:08 +00:00
|
|
|
secret_id_num_uses 0
|
|
|
|
secret_id_ttl 0
|
|
|
|
token_max_ttl 0
|
|
|
|
token_num_uses 0
|
|
|
|
token_ttl 0
|
|
|
|
```
|
|
|
|
|
2018-01-19 01:40:35 +00:00
|
|
|
**NOTE:** To attach multiple policies, pass the policy names as a comma
|
|
|
|
separated string.
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ vault write auth/approle/role/jenkins policies="jenkins,anotherpolicy"
|
2020-01-18 00:18:09 +00:00
|
|
|
```
|
2018-01-09 23:12:08 +00:00
|
|
|
|
|
|
|
#### API call using cURL
|
|
|
|
|
2018-01-19 01:40:35 +00:00
|
|
|
Before creating a role, create `jenkins` policy:
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ curl --header "X-Vault-Token: ..." --request PUT --data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
http://127.0.0.1:8200/v1/sys/policy/jenkins
|
2018-01-19 01:40:35 +00:00
|
|
|
|
|
|
|
$ cat payload.json
|
|
|
|
{
|
|
|
|
"policy": "path \"auth/approle/login\" { capabilities = [ \"create\", \"read\" ] } ... }"
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
Now, you are ready to create a role.
|
2018-01-19 01:40:35 +00:00
|
|
|
|
2018-01-09 23:12:08 +00:00
|
|
|
**Example:**
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
The following example creates a role named `jenkins` with a `jenkins` policy
|
|
|
|
attached. (NOTE: This example creates a role which operates in [**pull**
|
2020-01-22 20:05:41 +00:00
|
|
|
mode](/docs/auth/approle).)
|
2018-01-19 01:40:35 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ curl --header "X-Vault-Token: ..." --request POST \
|
|
|
|
--data '{"policies":"jenkins"}' \
|
2018-03-23 15:41:51 +00:00
|
|
|
http://127.0.0.1:8200/v1/auth/approle/role/jenkins
|
2018-01-23 23:43:07 +00:00
|
|
|
```
|
2018-01-19 01:40:35 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
> There are a number of
|
2020-03-31 19:21:16 +00:00
|
|
|
> [parameters](/api/auth/approle#create-update-approle) that you can set
|
2018-01-23 23:43:07 +00:00
|
|
|
> on a role. If you want to limit the use of the generated secret ID, set
|
|
|
|
> `secret_id_num_uses` or `secret_id_ttl` parameter values. Similarly, you can
|
|
|
|
> specify `token_num_uses` and `token_ttl`. You may never want the app token to
|
2020-01-18 00:18:09 +00:00
|
|
|
> expire. In such a case, specify the `period` so that the token generated by
|
|
|
|
> this AppRole is a periodic token. To learn more about periodic tokens, refer to
|
2020-01-22 20:05:41 +00:00
|
|
|
> the [Tokens and Leases](/guides/identity/lease#step4) guide.
|
2018-01-19 01:40:35 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
**NOTE:** To attach multiple policies, pass the policy names as a comma
|
|
|
|
separated string.
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 23:43:07 +00:00
|
|
|
$ curl --header "X-Vault-Token:..."
|
|
|
|
--request POST \
|
|
|
|
--data '{"policies":"jenkins,anotherpolicy"}' \
|
2018-03-23 15:41:51 +00:00
|
|
|
http://127.0.0.1:8200/v1/auth/approle/role/jenkins
|
2020-01-18 00:18:09 +00:00
|
|
|
```
|
2018-01-23 23:43:07 +00:00
|
|
|
|
|
|
|
To read the jenkins role you just created:
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ curl --header "X-Vault-Token: ..." --request GET \
|
2018-03-23 15:41:51 +00:00
|
|
|
http://127.0.0.1:8200/v1/auth/approle/role/jenkins | jq
|
2018-01-19 01:40:35 +00:00
|
|
|
{
|
|
|
|
"request_id": "b18054ad-1ab5-8d83-eeed-193d97026ee7",
|
|
|
|
"lease_id": "",
|
|
|
|
"renewable": false,
|
|
|
|
"lease_duration": 0,
|
|
|
|
"data": {
|
|
|
|
"bind_secret_id": true,
|
|
|
|
"bound_cidr_list": "",
|
|
|
|
"period": 0,
|
|
|
|
"policies": [
|
|
|
|
"jenkins"
|
|
|
|
],
|
|
|
|
"secret_id_num_uses": 0,
|
|
|
|
"secret_id_ttl": 0,
|
|
|
|
"token_max_ttl": 0,
|
|
|
|
"token_num_uses": 0,
|
|
|
|
"token_ttl": 0
|
|
|
|
},
|
|
|
|
"wrap_info": null,
|
|
|
|
"warnings": null,
|
|
|
|
"auth": null
|
|
|
|
}
|
2018-01-09 23:12:08 +00:00
|
|
|
```
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
### Step 3: Get Role ID and Secret ID ((#step3))
|
2020-01-18 00:18:09 +00:00
|
|
|
|
2018-01-19 01:40:35 +00:00
|
|
|
(**Persona:** admin)
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-02-01 17:50:59 +00:00
|
|
|
**Role ID** and **Secret ID** are like a username and password that a machine or
|
2018-01-23 23:43:07 +00:00
|
|
|
app uses to authenticate.
|
2018-01-23 02:14:23 +00:00
|
|
|
|
2018-01-10 19:14:59 +00:00
|
|
|
Since the example created a `jenkins` role which operates in pull mode, Vault
|
2018-01-23 23:43:07 +00:00
|
|
|
will generate the Secret ID. You can set properties such as usage-limit, TTLs,
|
|
|
|
and expirations on the secret IDs to control its lifecycle.
|
2018-01-09 23:12:08 +00:00
|
|
|
|
|
|
|
#### CLI command
|
|
|
|
|
|
|
|
Now, you need to fetch the Role ID and Secret ID of a role.
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
To read the Role ID:
|
2018-01-23 02:14:23 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ vault read auth/approle/role/<ROLE_NAME>/role-id
|
|
|
|
```
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
To generate a new Secret ID:
|
2018-01-23 02:14:23 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ vault write -f auth/approle/role/<ROLE_NAME>/secret-id
|
|
|
|
```
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
NOTE: The `-f` flag forces the `write` operation to continue without any data
|
|
|
|
values specified. Alternatively, you can set
|
2020-01-22 20:05:41 +00:00
|
|
|
[parameters](/api/auth/approle#generate-new-secret-id) such as
|
2018-01-23 23:43:07 +00:00
|
|
|
`cidr_list`.
|
2018-01-23 02:14:23 +00:00
|
|
|
|
2018-01-09 23:12:08 +00:00
|
|
|
**Example:**
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-09 23:12:08 +00:00
|
|
|
$ vault read auth/approle/role/jenkins/role-id
|
|
|
|
Key Value
|
|
|
|
--- -----
|
|
|
|
role_id 675a50e7-cfe0-be76-e35f-49ec009731ea
|
|
|
|
|
|
|
|
$ vault write -f auth/approle/role/jenkins/secret-id
|
|
|
|
Key Value
|
|
|
|
--- -----
|
|
|
|
secret_id ed0a642f-2acf-c2da-232f-1b21300d5f29
|
|
|
|
secret_id_accessor a240a31f-270a-4765-64bd-94ba1f65703c
|
|
|
|
```
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
If you specified `secret_id_ttl`, `secret_id_num_uses`, or `bound_cidr_list` on
|
|
|
|
the role in [Step 2](#step2), the generated secret ID carries out the conditions.
|
|
|
|
|
2018-01-09 23:12:08 +00:00
|
|
|
#### API call using cURL
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
To read the Role ID:
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ curl --header "X-Vault-Token:..." \
|
|
|
|
--request GET \
|
|
|
|
<VAULT_ADDRESS>/v1/auth/approle/role/<ROLE_NAME>/role-id
|
|
|
|
```
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
To generate a new Secret ID:
|
2018-01-23 02:14:23 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ curl --header "X-Vault-Token:..." \
|
|
|
|
--request POST \
|
2018-01-23 23:43:07 +00:00
|
|
|
--data <PARAMETERS>
|
2018-01-23 02:14:23 +00:00
|
|
|
<VAULT_ADDRESS>/v1/auth/approle/role/<ROLE_NAME>/secret-id
|
2018-01-09 23:12:08 +00:00
|
|
|
```
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
You can pass
|
2020-01-22 20:05:41 +00:00
|
|
|
[parameters](/api/auth/approle#generate-new-secret-id) in the request
|
2018-03-16 00:16:59 +00:00
|
|
|
payload, or invoke the API with an empty payload.
|
2018-01-23 23:43:07 +00:00
|
|
|
|
2018-01-23 02:14:23 +00:00
|
|
|
**Example:**
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ curl --header "X-Vault-Token:..." --request GET \
|
2018-03-23 15:41:51 +00:00
|
|
|
http://127.0.0.1:8200/v1/auth/approle/role/jenkins/role-id | jq
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-01-23 02:14:23 +00:00
|
|
|
$ curl --header "X-Vault-Token:..." --request POST \
|
2018-03-23 15:41:51 +00:00
|
|
|
http://127.0.0.1:8200/v1/auth/approle/role/jenkins/secret-id | jq
|
2018-01-09 23:12:08 +00:00
|
|
|
```
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
If you specified `secret_id_ttl`, `secret_id_num_uses`, or `bound_cidr_list` on
|
|
|
|
the role in [Step 2](#step2), the generated secret ID carries out the conditions.
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
### Step 4: Login with Role ID & Secret ID ((#step4))
|
2020-01-18 00:18:09 +00:00
|
|
|
|
2018-01-19 01:40:35 +00:00
|
|
|
(**Persona:** app)
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
The client (in this case, Jenkins) uses the role ID and secret ID passed by the
|
|
|
|
admin to authenticate with Vault. If Jenkins did not receive the role ID and/or
|
2018-01-23 02:14:23 +00:00
|
|
|
secret ID, the admin needs to investigate.
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-01-23 02:14:23 +00:00
|
|
|
-> Refer to the [Advanced Features](#advanced-features) section for further
|
|
|
|
discussion on distributing the role ID and secret ID to the client app
|
|
|
|
securely.
|
2018-01-19 01:40:35 +00:00
|
|
|
|
2018-01-09 23:12:08 +00:00
|
|
|
#### CLI command
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
To login, use the `auth/approle/login` endpoint by passing the role ID and secret ID.
|
2018-01-23 02:14:23 +00:00
|
|
|
|
2018-01-09 23:12:08 +00:00
|
|
|
**Example:**
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ vault write auth/approle/login role_id="675a50e7-cfe0-be76-e35f-49ec009731ea" \
|
2018-01-09 23:12:08 +00:00
|
|
|
secret_id="ed0a642f-2acf-c2da-232f-1b21300d5f29"
|
|
|
|
|
|
|
|
Key Value
|
|
|
|
--- -----
|
|
|
|
token eeaf890e-4b0f-a687-4190-c75b1d6d70bc
|
|
|
|
token_accessor fcee5d4e-7281-8bb0-2901-e743c52e0502
|
|
|
|
token_duration 768h0m0s
|
|
|
|
token_renewable true
|
2018-01-19 01:40:35 +00:00
|
|
|
token_policies [jenkins]
|
2018-01-09 23:12:08 +00:00
|
|
|
token_meta_role_name "jenkins"
|
|
|
|
```
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
Now you have a **client token** with `default` and `jenkins` policies attached.
|
2018-01-19 01:40:35 +00:00
|
|
|
|
2018-01-09 23:12:08 +00:00
|
|
|
#### API call using cURL
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
To login, use the `auth/approle/login` endpoint by passing the role ID and secret ID
|
2018-01-23 02:14:23 +00:00
|
|
|
in the request payload.
|
2018-01-09 23:12:08 +00:00
|
|
|
|
|
|
|
**Example:**
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 23:43:07 +00:00
|
|
|
$ cat payload.json
|
2018-01-09 23:12:08 +00:00
|
|
|
{
|
|
|
|
"role_id": "675a50e7-cfe0-be76-e35f-49ec009731ea",
|
|
|
|
"secret_id": "ed0a642f-2acf-c2da-232f-1b21300d5f29"
|
|
|
|
}
|
|
|
|
|
2018-03-23 15:41:51 +00:00
|
|
|
$ curl --request POST --data @payload.json http://127.0.0.1:8200/v1/auth/approle/login | jq
|
2018-01-19 01:40:35 +00:00
|
|
|
{
|
|
|
|
"request_id": "fccae32b-1e6a-9a9c-7666-f5cb07805c1e",
|
|
|
|
"lease_id": "",
|
|
|
|
"renewable": false,
|
|
|
|
"lease_duration": 0,
|
|
|
|
"data": null,
|
|
|
|
"wrap_info": null,
|
|
|
|
"warnings": null,
|
|
|
|
"auth": {
|
2018-09-28 21:43:15 +00:00
|
|
|
"client_token": "eeaf890e-4b0f-a687-4190-c75b1d6d70bc",
|
|
|
|
"accessor": "fcee5d4e-7281-8bb0-2901-e743c52e0502",
|
2018-01-19 01:40:35 +00:00
|
|
|
"policies": [
|
|
|
|
"default",
|
|
|
|
"jenkins"
|
|
|
|
],
|
|
|
|
"metadata": {
|
|
|
|
"role_name": "jenkins"
|
|
|
|
},
|
|
|
|
"lease_duration": 2764800,
|
|
|
|
"renewable": true,
|
|
|
|
"entity_id": "54e0b765-6daf-0ff5-70b9-32c0d491f473"
|
|
|
|
}
|
|
|
|
}
|
2018-01-09 23:12:08 +00:00
|
|
|
```
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
Now you have a **client token** with `default` and `jenkins` policies attached.
|
2018-01-19 01:40:35 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
### Step 5: Read secrets using the AppRole token ((#step5))
|
2020-01-18 00:18:09 +00:00
|
|
|
|
2018-01-19 01:40:35 +00:00
|
|
|
(**Persona:** app)
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
Once receiving a token from Vault, the client can make future requests using
|
|
|
|
this token.
|
2018-01-10 19:14:59 +00:00
|
|
|
|
2018-01-19 01:40:35 +00:00
|
|
|
#### CLI command
|
|
|
|
|
|
|
|
**Example:**
|
|
|
|
|
|
|
|
You can pass the `client_token` returned in [Step 4](#step4) as a part of the
|
|
|
|
CLI command.
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-04-04 06:22:41 +00:00
|
|
|
$ VAULT_TOKEN=3e7dd0ac-8b3e-8f88-bb37-a2890455ca6e vault kv get secret/mysql/webapp
|
2018-01-19 01:40:35 +00:00
|
|
|
No value found at secret/mysql/webapp
|
|
|
|
```
|
|
|
|
|
|
|
|
Alternatively, you can first authenticate with Vault using the `client_token`.
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-09-28 21:43:15 +00:00
|
|
|
$ vault login eeaf890e-4b0f-a687-4190-c75b1d6d70bc
|
2018-01-19 01:40:35 +00:00
|
|
|
Successfully authenticated! You are now logged in.
|
2018-09-28 21:43:15 +00:00
|
|
|
token: eeaf890e-4b0f-a687-4190-c75b1d6d70bc
|
2018-01-19 01:40:35 +00:00
|
|
|
token_duration: 2762013
|
|
|
|
token_policies: [default jenkins]
|
|
|
|
|
2018-04-04 06:22:41 +00:00
|
|
|
$ vault kv get secret/mysql/webapp
|
2018-01-19 01:40:35 +00:00
|
|
|
No value found at secret/mysql/webapp
|
|
|
|
```
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
Since there is no value at `secret/mysql/webapp`, it returns a "no value
|
2018-01-19 01:40:35 +00:00
|
|
|
found" message.
|
|
|
|
|
|
|
|
**Optional:** Using the `admin` user's token, you can store some secrets in the
|
2018-03-16 00:16:59 +00:00
|
|
|
`secret/mysql/webapp` path.
|
2018-01-19 01:40:35 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-08-02 15:38:51 +00:00
|
|
|
$ vault kv put secret/mysql/webapp @mysqldb.txt
|
2018-01-19 01:40:35 +00:00
|
|
|
|
|
|
|
$ cat mysqldb.txt
|
|
|
|
{
|
|
|
|
"url": "foo.example.com:35533",
|
|
|
|
"db_name": "users",
|
|
|
|
"username": "admin",
|
|
|
|
"password": "pa$$w0rd"
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
Now, try to read secrets from `secret/mysql/webapp` using the `client_token` again.
|
2018-01-19 01:40:35 +00:00
|
|
|
This time, it should return the values you just created.
|
|
|
|
|
|
|
|
#### API call using cURL
|
|
|
|
|
|
|
|
You can now pass the `client_token` returned in [Step 4](#step4) in the
|
2018-10-17 14:38:15 +00:00
|
|
|
**`X-Vault-Token`** or **`Authorization`** header.
|
2018-01-19 01:40:35 +00:00
|
|
|
|
|
|
|
**Example:**
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-09-28 21:43:15 +00:00
|
|
|
$ curl --header "X-Vault-Token: eeaf890e-4b0f-a687-4190-c75b1d6d70bc" \
|
2018-01-23 02:14:23 +00:00
|
|
|
--request GET \
|
2018-04-04 06:22:41 +00:00
|
|
|
http://127.0.0.1:8200/v1/secret/data/mysql/webapp | jq
|
2018-01-19 01:40:35 +00:00
|
|
|
{
|
|
|
|
"errors": []
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
Since there is no value at `secret/mysql/webapp`, it returns an empty array.
|
2018-01-19 01:40:35 +00:00
|
|
|
|
2018-01-23 02:14:23 +00:00
|
|
|
**Optional:** Using the **`admin`** user's token, create some secrets in the
|
2018-03-16 00:16:59 +00:00
|
|
|
`secret/mysql/webapp` path.
|
2018-01-19 01:40:35 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ curl --header "X-Vault-Token: ..." --request POST --data @mysqldb.txt \
|
2018-01-19 01:40:35 +00:00
|
|
|
|
|
|
|
$ cat mysqldb.text
|
|
|
|
{
|
|
|
|
"url": "foo.example.com:35533",
|
|
|
|
"db_name": "users",
|
|
|
|
"username": "admin",
|
|
|
|
"password": "p@ssw0rd"
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
Now, try to read secrets from `secret/mysql/webapp` using the `client_token` again.
|
2018-01-19 01:40:35 +00:00
|
|
|
This time, it should return the values you just created.
|
|
|
|
|
2018-01-18 01:39:21 +00:00
|
|
|
## Advanced Features
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-01-23 02:14:23 +00:00
|
|
|
The Role ID is equivalent to a username, and Secret ID is the corresponding
|
2018-01-23 23:43:07 +00:00
|
|
|
password. The app needs both to log in with Vault. Naturally, the next question
|
2018-03-16 00:16:59 +00:00
|
|
|
becomes how to deliver those values to the expected client.
|
2018-01-23 02:14:23 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
A common solution involves **three personas** instead of two: `admin`, `app`, and
|
|
|
|
`trusted entity`. The `trusted entity` delivers the Role ID and Secret ID to the
|
2018-09-28 21:43:15 +00:00
|
|
|
client by separate means.
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2018-02-01 17:50:59 +00:00
|
|
|
For example, Terraform as a trusted entity can deliver the Role ID onto the
|
2020-01-18 00:18:09 +00:00
|
|
|
virtual machine. When the app runs on the virtual machine, the Role ID already
|
2018-02-01 17:50:59 +00:00
|
|
|
exists on the virtual machine.
|
2018-01-23 02:14:23 +00:00
|
|
|
|
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
|
|
|
![AppRole auth method workflow](/img/vault-approle-workflow2.png)
|
2018-01-23 23:43:07 +00:00
|
|
|
|
2018-08-30 16:45:18 +00:00
|
|
|
The secret ID can be delivered using [**response
|
2020-01-22 20:05:41 +00:00
|
|
|
wrapping**](/docs/concepts/response-wrapping) to transmit the _reference_
|
2018-08-30 16:45:18 +00:00
|
|
|
to the secret ID rather than the actual value.
|
2018-01-23 02:14:23 +00:00
|
|
|
|
|
|
|
In [Step 3](#step3), you executed the following command to retrieve the Secret
|
2018-01-10 19:14:59 +00:00
|
|
|
ID:
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ vault write -f auth/approle/role/jenkins/secret-id
|
2018-01-09 23:12:08 +00:00
|
|
|
```
|
|
|
|
|
2018-01-23 02:14:23 +00:00
|
|
|
Instead, use response wrapping by passing the **`-wrap-ttl`** parameter:
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ vault write -wrap-ttl=60s -f auth/approle/role/jenkins/secret-id
|
2018-01-09 23:12:08 +00:00
|
|
|
|
|
|
|
Key Value
|
|
|
|
--- -----
|
|
|
|
wrapping_token: 9bbe23b7-5f8c-2aec-83dc-e97e94a2e632
|
|
|
|
wrapping_accessor: cb5bdc8f-0cdb-35ff-0e68-9de57a79c3bf
|
|
|
|
wrapping_token_ttl: 1m0s
|
|
|
|
wrapping_token_creation_time: 2018-01-08 21:29:38.826611 -0800 PST
|
|
|
|
wrapping_token_creation_path: auth/approle/role/jenkins/secret-id
|
|
|
|
```
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
Send this `wrapping_token` to the client so that the response can be unwrapped and
|
2018-01-23 02:14:23 +00:00
|
|
|
obtain the Secret ID.
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ VAULT_TOKEN=9bbe23b7-5f8c-2aec-83dc-e97e94a2e632 vault unwrap
|
2018-01-09 23:12:08 +00:00
|
|
|
|
|
|
|
Key Value
|
|
|
|
--- -----
|
|
|
|
secret_id 575f23e4-01ad-25f7-2661-9c9bdbb1cf81
|
|
|
|
secret_id_accessor 7d8a40b7-a6fd-a634-579b-b7d673ff86fb
|
|
|
|
```
|
|
|
|
|
2018-03-16 00:16:59 +00:00
|
|
|
NOTE: To retrieve the Secret ID alone, you can use `jq` as follows:
|
2018-01-09 23:12:08 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-01-23 02:14:23 +00:00
|
|
|
$ VAULT_TOKEN=2577044d-cf86-a065-e28f-e2a14ea6eaf7 vault unwrap -format=json | jq -r ".data.secret_id"
|
2018-01-09 23:12:08 +00:00
|
|
|
|
|
|
|
b07d7a47-1d0d-741d-20b4-ae0de7c6d964
|
|
|
|
```
|
|
|
|
|
|
|
|
## Next steps
|
|
|
|
|
2018-04-09 15:50:50 +00:00
|
|
|
Read the [_AppRole with Terraform and
|
2020-01-22 20:05:41 +00:00
|
|
|
Chef_](/guides/identity/approle-trusted-entities) guide to better
|
2018-08-30 16:45:18 +00:00
|
|
|
understand the role of trusted entities using Terraform and Chef as an example.
|
2018-03-16 00:16:59 +00:00
|
|
|
|
|
|
|
To learn more about response wrapping, go to the [Cubbyhole Response
|
2020-01-22 20:05:41 +00:00
|
|
|
Wrapping](/guides/secret-mgmt/cubbyhole) guide.
|