NOTE: This post assumes that you have all ready set up a vault server: https://dev.to/frederickollinger/production-hashicorp-vault-minimal-configuration-485a
What is an Auth Method?
An auth method is a method to valid requests from clients. It provides authentication, that is it checks to see that you are who you say you are. It does not handle authorization which tells you what resources you may or may not do or access.
Where Would You Use AppRole Auth Method?
AppRole is most often used for machine to machine authentication.
What is a Policy?
A policy allows one to control what a particular Role can do with vault, what secrets to change, access, etc.
Enabling AppRole
AppRole is not turned on my default so as a one time operation, one must enable it:
vault auth enable approle
Create a Vault Policy
Vault policies are in HCL files.
Save this in a file named policy.hcl.
path "secret/data" {
capabilities = [ "read" ]
}
Tell Vault to read the Policy:
cat policy.hcl | vault policy write data-policy -
List the policies:
vault policy list
Define a Role
A Role is needed to access a particular resource. Each role has an attached policy.
In this example, we are going to call our role: 'dataapp'.
vault write auth/approle/role/dataapp policies=data-policy
List the roles
vault list auth/approle/role
Generate the Authentication Credentials
In order to login, one needs both the RoleID and the SecretID.
The RoleId is analogous to a username while the SecretID is like a password.
RoleID:
vault read auth/approle/role/dataapp/role-id
SecretID:
vault write -f auth/approle/role/dataapp/secret-id
Use Credentials To Login Using AppRole
Replace $ROLE_ID and $SECRET_ID with those generated above.
vault write auth/approle/login \
role_id=$ROLE_ID \
secret_id=$SECRET_ID
Top comments (0)