Before a client can interact with Vault, it must authenticate against an auth method to acquire a token. This token has policies attached so that the behavior of the client can be governed.
Since tokens are the core method for authentication within Vault, there is a token auth method (often referred to as token store). This is a special auth method responsible for creating and storing tokens.
»Auth Methods
Auth methods perform authentication to verify the user or machine-supplied information. Some of the supported auth methods are targeted towards users while others are targeted toward machines or apps. For example, LDAP auth method enables user authentication using an existing LDAP server while AppRole auth method is recommended for machines or apps.
The Getting Started tutorial walks you through how to enable the GitHub auth method for user authentication.
This introductory tutorial focuses on generating tokens for machines or apps by enabling the AppRole auth method.
»Personas
The end-to-end scenario described in this tutorial involves two personas:
admin
with privileged permissions to configure an auth methodapp
is the consumer of secrets stored in Vault
»Challenge
Think of a scenario where a DevOps team wants to configure Jenkins to read
secrets from Vault so that it can inject the secrets to an app's environment
variables (e.g. MYSQL_DB_HOST
) at deployment time.
Instead of hardcoding secrets in each build script as plain text, Jenkins retrieves secrets from Vault.
As a user, you can authenticate with Vault using your LDAP credentials, and Vault generates a token. This token has policies granting you permission to perform the appropriate operations.
How can a Jenkins server programmatically request a token so that it can read secrets from Vault?
»Solution
Enable AppRole auth method so that the Jenkins server can obtain a Vault token with appropriate policies attached. Since each AppRole has attached policies, you can write fine-grained policies limiting which app can access which path.
»Prerequisites
To perform the tasks described in this tutorial, you need to have a Vault environment. Refer to the Getting Started tutorial to install Vault. Make sure that your Vault server has been initialized and unsealed.
NOTE: An interactive tutorial is also available if you do not have a Vault environment to perform the steps described in this tutorial. Click the Show Terminal button to start.
»Policy requirements
NOTE: For the purpose of this tutorial, you can use the root
token to work
with Vault. However, it is recommended that root tokens are only used for just
enough initial setup or in emergencies. As a best practice, use tokens with
an appropriate set of policies based on your role in the organization.
To perform all tasks demonstrated in this tutorial, your policy must include the following permissions:
# Mount the AppRole auth method
path "sys/auth/approle" {
capabilities = [ "create", "read", "update", "delete", "sudo" ]
}
# Configure the AppRole auth method
path "sys/auth/approle/*" {
capabilities = [ "create", "read", "update", "delete" ]
}
# Create and manage roles
path "auth/approle/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
# Write ACL policies
path "sys/policies/acl/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
# Write test data
# Set the path to "secret/data/mysql/*" if you are running `kv-v2`
path "secret/mysql/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
If you are not familiar with policies, complete the policies tutorial.
»Scenario Introduction
AppRole is an authentication mechanism within Vault to allow machines or apps to acquire a token to interact with Vault. It uses RoleID and SecretID for login.
The basic workflow is:
For the purpose of introducing the basics of AppRole, this tutorial walks you through a very simple scenario involving only two personas (admin and app). Please refer to the Advanced Features section for further discussions after completing the following steps.
In this tutorial, you are going to perform the following steps:
- Enable AppRole auth method
- Create a role with policy attached
- Get RoleID and SecretID
- Login with RoleID & SecretID
- Read secrets using the AppRole token
Step 1 through 3 need to be performed by an admin
user. Step 4 and 5 describe
the commands that an app
runs to get a token and read secrets from Vault.
»Step 1: Enable AppRole auth method
(Persona: admin)
Like many other auth methods, AppRole must be enabled before it can be used.
Enable approle
auth method by executing the following command.
$ vault auth enable approle
»Step 2: Create a role with policy attached
(Persona: admin)
When you enabled the AppRole auth method, it gets mounted at the /auth/approle
path. In this example, you are going to create a role for the app
persona
(jenkins
in our scenario).
First, create a policy file named jenkins-pol.hcl
with following policies to
set appropriate permissions.
# Read-only permission on 'secret/data/mysql/*' path
path "secret/data/mysql/*" {
capabilities = [ "read", "update" ]
}
Before creating a role, create a
jenkins
policy.$ vault policy write jenkins jenkins-pol.hcl
The command to create a new AppRole:
$ vault write auth/approle/role/<ROLE_NAME> [parameters]
There are a number of parameters that you can set on a role. If you want to limit the use of the generated secret ID, set
secret_id_num_uses
orsecret_id_ttl
parameter values. Similarly, you can specifytoken_num_uses
andtoken_ttl
. You may never want the app token to expire. In such a case, specify theperiod
so that the token generated by this AppRole is a periodic token. To learn more about periodic tokens, refer to the Tokens tutorial.The following command creates a role named
jenkins
withjenkins
policy attached. The token's time-to-live (TTL) is set to 1 hour and can be renewed for up to 4 hours of its first creation. (NOTE: This example creates a role which operates in pull mode.)$ vault write auth/approle/role/jenkins token_policies="jenkins" \ token_ttl=1h token_max_ttl=4h
Read the
jenkins
role you created to verify.$ vault read auth/approle/role/jenkins Key Value --- ----- bind_secret_id true local_secret_ids false secret_id_bound_cidrs <nil> secret_id_num_uses 0 secret_id_ttl 0s token_bound_cidrs [] token_explicit_max_ttl 0s token_max_ttl 4h token_no_default_policy false token_num_uses 0 token_period 0s token_policies [jenkins] token_ttl 1h token_type default
NOTE: To attach multiple policies, pass the policy names as a comma separated string:
policies="jenkins,anotherpolicy"
»Step 3: Get RoleID and SecretID
The RoleID and SecretID are like a username and password that a machine or app uses to authenticate.
Since the example created a jenkins
role which operates in pull mode, Vault
will generate the SecretID. You can set properties such as usage-limit, TTLs,
and expirations on the SecretIDs to control its lifecycle.
To retrieve the RoleID, invoke the auth/approle/role/<ROLE_NAME>/role-id
endpoint. To generate a new SecretID, invoke the
auth/approle/role/<ROLE_NAME>/secret-id
endpoint.
Now, you need to fetch the RoleID and SecretID of a role.
Execute the following command to retrieve the RoleID for the
jenkins
role.$ vault read auth/approle/role/jenkins/role-id Key Value --- ----- role_id 675a50e7-cfe0-be76-e35f-49ec009731ea
Execute the following command to generate a SecretID for the
jenkins
role.$ vault write -f auth/approle/role/jenkins/secret-id Key Value --- ----- secret_id ed0a642f-2acf-c2da-232f-1b21300d5f29 secret_id_accessor a240a31f-270a-4765-64bd-94ba1f65703c
NOTE: The
-f
flag forces thewrite
operation to continue without any data values specified. Or you can set parameters such ascidr_list
.If you specified
secret_id_ttl
,secret_id_num_uses
, orbound_cidr_list
on the role in Step 2, the generated SecretID carries out the conditions.
»Step 4: Login with RoleID & SecretID
(Persona: app)
The client (in this case, Jenkins) uses the RoleID and SecretID passed by the admin to authenticate with Vault. If Jenkins did not receive the RoleID and/or SecretID, the admin needs to investigate.
Refer to the Advanced Features section for further discussion on distributing the RoleID and SecretID to the client app securely.
To login, use the auth/approle/login
endpoint by passing the RoleID and
SecretID.
Example:
$ vault write auth/approle/login role_id="675a50e7-cfe0-be76-e35f-49ec009731ea" \
secret_id="ed0a642f-2acf-c2da-232f-1b21300d5f29"
Key Value
--- -----
token s.ncEw5bAZJqvGJgl8pBDM0C5h
token_accessor gIQFfVhUd8fDsZjC7gLBMnQu
token_duration 1h
token_renewable true
token_policies ["default" "jenkins"]
identity_policies []
policies ["default" "jenkins"]
token_meta_role_name jenkins
Now you have a client token with default
and jenkins
policies attached.
»Step 5: Read secrets using the AppRole token
(Persona: app)
Once receiving a token from Vault, the client can make future requests using this token.
Example:
You can pass the client_token
returned in Step 4 as a part of the
CLI command.
$ VAULT_TOKEN=s.ncEw5bAZJqvGJgl8pBDM0C5h vault kv get secret/mysql/webapp
No value found at secret/mysql/webapp
Or you can first authenticate with Vault using the client_token
.
$ vault login s.ncEw5bAZJqvGJgl8pBDM0C5h
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.ncEw5bAZJqvGJgl8pBDM0C5h
token_accessor gIQFfVhUd8fDsZjC7gLBMnQu
token_duration 55m17s
token_renewable true
token_policies ["default" "jenkins"]
identity_policies []
policies ["default" "jenkins"]
token_meta_role_name jenkins
Verify that you can access the secrets at secret/mysql/webapp
.
$ vault kv get secret/mysql/webapp
No value found at secret/mysql/webapp
Since there is no value at secret/mysql/webapp
, it returns a "no value
found" message.
Optional: Using the admin
user's token, you can store some secrets in the
secret/mysql/webapp
path.
First, create a JSON file containing the data you wish to store.
$ tee mysqldb.json <<"EOF"
{
"url": "foo.example.com:35533",
"db_name": "users",
"username": "admin",
"password": "pa$$w0rd"
}
EOF
Create the secrets. The input data will be read from the mysql.json
file.
$ vault kv put secret/mysql/webapp @mysqldb.json
Now, try to read secrets from secret/mysql/webapp
using the client_token
again. This time, it should return the values you just created.
»Response Wrap the SecretID
The RoleID is equivalent to a username, and SecretID is the corresponding password. The app needs both to log in with Vault. Naturally, the next question becomes how to deliver those values to the client securely.
A common solution involves three personas instead of two: admin
, app
, and
trusted entity
. The trusted entity
delivers the RoleID and SecretID to the
client by separate means.
For example, Terraform as a trusted entity can deliver the RoleID onto the virtual machine. When the app runs on the virtual machine, the RoleID already exists on the virtual machine.
SecretID is like a password. To keep the SecretID confidential, use response wrapping so that only the expecting client can unwrap the SecretID.
In Step 3, you executed the following command to retrieve the Secret ID.
$ vault write -f auth/approle/role/jenkins/secret-id
Instead, use response wrapping by passing the -wrap-ttl
parameter.
$ vault write -wrap-ttl=60s -f auth/approle/role/jenkins/secret-id
Key Value
--- -----
wrapping_token: s.2kAzCgg1kN7vdpE1xxZxzpug
wrapping_accessor: 1N3YCs02iuZ75OCTi4eN0tuA
wrapping_token_ttl: 1m
wrapping_token_creation_time: 2019-12-16 17:17:13.956126 -0800 PST
wrapping_token_creation_path: auth/approle/role/jenkins/secret-id
Send this wrapping_token
to the client so that the response can be unwrapped
and obtain the SecretID.
$ VAULT_TOKEN=s.2kAzCgg1kN7vdpE1xxZxzpug vault unwrap
Key Value
--- -----
secret_id 7673bcf6-bbba-0fa6-a54c-51a6a3219c92
secret_id_accessor e0104ca1-0afd-5d90-3b99-646bbcb5c179
To learn more about the wrapping token, read the Cubbyhole Response Wrapping tutorial.
»Limit the SecretID Usages
Treat the SecretID like a password and force it to be regenerated after a number of use.
To do so, update the role definition with secret_id_num_uses
set.
$ vault write auth/approle/role/jenkins token_policies="jenkins" \
token_ttl=1h token_max_ttl=4h \
secret_id_num_uses=10
In this example, a SecretID of the jenkins
role can be used for up to 10
times to authenticate and fetch a client token. After the number of uses is
reached, the SecretID expires and you would need to generate a new one. This is
similar to forcing a password rotation.