open-vault/website/source/docs/auth/userpass.html.md

6.2 KiB

layout page_title sidebar_current description
docs Auth Backend: Username & Password docs-auth-userpass The "userpass" auth backend allows users to authenticate with Vault using a username and password.

Auth Backend: Username & Password

Name: userpass

The "userpass" auth backend allows users to authenticate with Vault using a username and password combination.

The username/password combinations are configured directly to the auth backend using the users/ path. This backend cannot read usernames and passwords from an external source.

Authentication

Via the CLI

$ vault auth -method=userpass \
    username=foo \
    password=bar

Via the API

The endpoint for the login is auth/userpass/login/<username>.

The password should be sent in the POST body encoded as JSON.

$ curl $VAULT_ADDR/v1/auth/userpass/login/mitchellh \
    -d '{ "password": "foo" }'

The response will be in JSON. For example:

{
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "auth": {
    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
    "policies": [
      "root"
    ],
    "metadata": {
      "username": "mitchellh"
    },
    "lease_duration": 0,
    "renewable": false
  }
}

Configuration

First, you must enable the username/password auth backend:

$ vault auth-enable userpass
Successfully enabled 'userpass' at 'userpass'!

Now when you run vault auth -methods, the username/password backend is available:

Path       Type      Description
token/     token     token based credentials
userpass/  userpass

To use the "userpass" auth backend, an operator must configure it with users that are allowed to authenticate. An example is shown below. Use vault path-help for more details.

$ vault write auth/userpass/users/mitchellh \
    password=foo \
    policies=root
...

The above creates a new user "mitchellh" with the password "foo" that will be associated with the "root" policy. This is the only configuration necessary.

API

/auth/userpass/users/[username]

POST

Description
Create a new user or update an existing user. This path honors the distinction between the `create` and `update` capabilities inside ACL policies.
Method
POST
URL
`/auth/userpass/users/`
Parameters
  • username required Username for this user.
  • password required Password for this user.
  • policies optional Comma-separated list of policies. If set to empty string, only the `default` policy will be applicable to the user.
  • ttl optional The lease duration which decides login expiration.
  • max_ttl optional Maximum duration after which login should expire.
Returns
`204` response code.

/auth/userpass/users/[username]/password

POST

Description
Update the password for an existing user.
Method
POST
URL
`/auth/userpass/users//password`
Parameters
  • username required Username for this user.
  • password required Password for this user.
Returns
`204` response code.

/auth/userpass/users/[username]/policies

POST

Description
Update the policies associated with an existing user.
Method
POST
URL
`/auth/userpass/users//policies`
Parameters
  • username required Username for this user.
  • policies optional Comma-separated list of policies. If this is field is not supplied, the policies will be unchanged. If set to empty string, only the `default` policy will be applicable to the user.
Returns
`204` response code.

/auth/userpass/login/[username]

POST

Description
Update the policies associated with an existing user.
Method
POST
URL
`/auth/userpass/users//policies`
Parameters
  • username required Username for this user.
  • password required Password for this user.
Returns
{
 "lease_id": "",
 "renewable": false,
 "lease_duration": 0,
 "data": null,
 "warnings": null,
 "auth": {
 	"client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
 	"accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
 	"policies": ["default"],
 	"metadata": {
 		"username": "vishal"
 	},
 	"lease_duration": 7200,
 	"renewable": true
 }
}