This actually helps people who are running vault in production as a containerized application and they don't have access to exec of the pod in PROD to run vault cli commands.
We can do so many things using vault ui, listing few of them.
I was thinking what we can do through vault CLI option which is present in UI and I learned how to use api explorer.
1.Clicked on vault UI CLI.
2.Write api in CLI and press enter. This is an api explorer. You can see warning like below after pressing enter.
3.Now you can close the CLI and you can see lots of api endpoints. There is a filter section as well, you can search the endpoints there.
4.It has 4 section- auth, secrets, identity and system. You can click on each section and use the endpoints based on your requirements.
5.Suppose I wanted to create one more root token. If your login root token is having capability to create then you can do that.
I searched with token and got so many options.
6.Now I want to create a token if I revoke this logged in token then the new token should not be revoked. So, I preferred orphan token here. Click on orphan token endpoint then clicked on Try it Out and I got the below option.
7.Clicked on Execute- send a request with your token to vault and got below response. Here client_token is the root token and others option is the lookup of this token.
NOTE- There are so many things we can do through api explorer so go ahead and explore it.
This authentication allow user to create user and password to login to the vault ui. This is more secure than root token auth
as we can also attach to the custom policy on this authentication.
Let's have a look how to do this.
1.Clicked on Access and then Enable new method.
2.Clicked on Username & Password and then Next.
3.Provide the path name and click on Hide Method Options, you can see lots of option like what kind of token will be created like default, services or batch for this authentication and many more options. Clicked on Enable Method.
4.This page will appear to update the configuration. If you want, you can update or click on userpass(path name in the left corner) if you don't want to update anything.
5.Click on Create user.
6.Provide user and password.
7.You can see there is an option called Tokens. Clicked on this and you can see attach policies, provide the type of token etc.
8.You can save and able to login through username and password.
NOTE: If you are not attaching any policy here it will attach to the default policy and default policy has all kind of capabilities, so make sure while attaching to any policy.