Configuring Auth Methods using the API

Introduction

Learn how to configure the AppRole authentication method in HashiCorp Vault using direct API calls. This guide covers:

Enabling the AppRole auth method
Creating an AppRole with specific policies
Retrieving the Role ID and Secret ID
Authenticating with the generated credentials

Prerequisites

A running Vault server at http://127.0.0.1:8200
A valid Vault token exported as an environment variable:

export VAULT_TOKEN="s.TEKrNn3Cv53pZdbPh8xg4TPu"

Warning

Never commit your VAULT_TOKEN or any sensitive credentials to version control.

1. Enable the AppRole Auth Method

First, enable the AppRole authentication backend:

Create an auth.json file:
```
{
  "type": "approle"
}
```

Use curl to enable AppRole:

curl --header "X-Vault-Token: $VAULT_TOKEN" \
     --request POST \
     --data @auth.json \
     http://127.0.0.1:8200/v1/sys/auth/approle

Verify the mount:
```
vault auth list
```

You should see an entry for approle/.

2. Create an AppRole with Policies

Define which policies this AppRole will use:

Create policies.json:
```
{
  "policies": ["bryan"]
}
```

Create the AppRole named vaultcourse:

curl --header "X-Vault-Token: $VAULT_TOKEN" \
     --request POST \
     --data @policies.json \
     http://127.0.0.1:8200/v1/auth/approle/role/vaultcourse

A successful response confirms the role is created.

3. Fetch the Role ID

Each AppRole has a unique Role ID. Retrieve it:

curl --header "X-Vault-Token: $VAULT_TOKEN" \
     http://127.0.0.1:8200/v1/auth/approle/role/vaultcourse/role-id | jq

Inspect data.role_id in the JSON response.

4. Generate a Secret ID

Generate the Secret ID needed alongside the Role ID:

curl --header "X-Vault-Token: $VAULT_TOKEN" \
     --request POST \
     http://127.0.0.1:8200/v1/auth/approle/role/vaultcourse/secret-id | jq

The response returns:

data.secret_id
data.secret_id_accessor

With these credentials, you can log in:

curl --request POST \
     --data '{"role_id":"<ROLE_ID>","secret_id":"<SECRET_ID>"}' \
     http://127.0.0.1:8200/v1/auth/approle/login

Quick Reference Table

Step	Endpoint	Method	Description
1	`/v1/sys/auth/approle`	POST	Enable AppRole auth method
2	`/v1/auth/approle/role/vaultcourse`	POST	Create an AppRole with specified policies
3	`/v1/auth/approle/role/vaultcourse/role-id`	GET	Retrieve the AppRole `Role ID`
4	`/v1/auth/approle/role/vaultcourse/secret-id`	POST	Generate the `Secret ID`
5	`/v1/auth/approle/login`	POST	Authenticate using `Role ID` and `Secret ID`

Links and References

Watch Video

Watch video content