HashiCorp Certified: Vault Associate Certification

Compare Authentication Methods

Configuring Auth Methods using the API

Introduction

Learn how to configure the AppRole authentication method in HashiCorp Vault using direct API calls. This guide covers:

  • Enabling the AppRole auth method
  • Creating an AppRole with specific policies
  • Retrieving the Role ID and Secret ID
  • Authenticating with the generated credentials

Prerequisites

  • A running Vault server at http://127.0.0.1:8200
  • A valid Vault token exported as an environment variable:
export VAULT_TOKEN="s.TEKrNn3Cv53pZdbPh8xg4TPu"

Warning

Never commit your VAULT_TOKEN or any sensitive credentials to version control.

1. Enable the AppRole Auth Method

First, enable the AppRole authentication backend:

  1. Create an auth.json file:

    {
      "type": "approle"
    }
    
  2. Use curl to enable AppRole:

    curl --header "X-Vault-Token: $VAULT_TOKEN" \
         --request POST \
         --data @auth.json \
         http://127.0.0.1:8200/v1/sys/auth/approle
    
  3. Verify the mount:

    vault auth list
    

You should see an entry for approle/.

2. Create an AppRole with Policies

Define which policies this AppRole will use:

  1. Create policies.json:

    {
      "policies": ["bryan"]
    }
    
  2. Create the AppRole named vaultcourse:

    curl --header "X-Vault-Token: $VAULT_TOKEN" \
         --request POST \
         --data @policies.json \
         http://127.0.0.1:8200/v1/auth/approle/role/vaultcourse
    

A successful response confirms the role is created.

3. Fetch the Role ID

Each AppRole has a unique Role ID. Retrieve it:

curl --header "X-Vault-Token: $VAULT_TOKEN" \
     http://127.0.0.1:8200/v1/auth/approle/role/vaultcourse/role-id | jq

Inspect data.role_id in the JSON response.

4. Generate a Secret ID

Generate the Secret ID needed alongside the Role ID:

curl --header "X-Vault-Token: $VAULT_TOKEN" \
     --request POST \
     http://127.0.0.1:8200/v1/auth/approle/role/vaultcourse/secret-id | jq

The response returns:

  • data.secret_id
  • data.secret_id_accessor

With these credentials, you can log in:

curl --request POST \
     --data '{"role_id":"<ROLE_ID>","secret_id":"<SECRET_ID>"}' \
     http://127.0.0.1:8200/v1/auth/approle/login

Quick Reference Table

StepEndpointMethodDescription
1/v1/sys/auth/approlePOSTEnable AppRole auth method
2/v1/auth/approle/role/vaultcoursePOSTCreate an AppRole with specified policies
3/v1/auth/approle/role/vaultcourse/role-idGETRetrieve the AppRole Role ID
4/v1/auth/approle/role/vaultcourse/secret-idPOSTGenerate the Secret ID
5/v1/auth/approle/loginPOSTAuthenticate using Role ID and Secret ID

Watch Video

Watch video content

Previous
Demo Configuring Auth Methods using the CLI