HashiCorp Certified: Vault Associate Certification
Compare Authentication Methods
Configuring Auth Methods using the API
Introduction
Learn how to configure the AppRole authentication method in HashiCorp Vault using direct API calls. This guide covers:
- Enabling the AppRole auth method
- Creating an AppRole with specific policies
- Retrieving the
Role ID
andSecret ID
- Authenticating with the generated credentials
Prerequisites
- A running Vault server at
http://127.0.0.1:8200
- A valid Vault token exported as an environment variable:
export VAULT_TOKEN="s.TEKrNn3Cv53pZdbPh8xg4TPu"
Warning
Never commit your VAULT_TOKEN
or any sensitive credentials to version control.
1. Enable the AppRole Auth Method
First, enable the AppRole authentication backend:
Create an
auth.json
file:{ "type": "approle" }
Use
curl
to enable AppRole:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request POST \ --data @auth.json \ http://127.0.0.1:8200/v1/sys/auth/approle
Verify the mount:
vault auth list
You should see an entry for approle/
.
2. Create an AppRole with Policies
Define which policies this AppRole will use:
Create
policies.json
:{ "policies": ["bryan"] }
Create the AppRole named
vaultcourse
:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request POST \ --data @policies.json \ http://127.0.0.1:8200/v1/auth/approle/role/vaultcourse
A successful response confirms the role is created.
3. Fetch the Role ID
Each AppRole has a unique Role ID
. Retrieve it:
curl --header "X-Vault-Token: $VAULT_TOKEN" \
http://127.0.0.1:8200/v1/auth/approle/role/vaultcourse/role-id | jq
Inspect data.role_id
in the JSON response.
4. Generate a Secret ID
Generate the Secret ID
needed alongside the Role ID
:
curl --header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
http://127.0.0.1:8200/v1/auth/approle/role/vaultcourse/secret-id | jq
The response returns:
data.secret_id
data.secret_id_accessor
With these credentials, you can log in:
curl --request POST \
--data '{"role_id":"<ROLE_ID>","secret_id":"<SECRET_ID>"}' \
http://127.0.0.1:8200/v1/auth/approle/login
Quick Reference Table
Step | Endpoint | Method | Description |
---|---|---|---|
1 | /v1/sys/auth/approle | POST | Enable AppRole auth method |
2 | /v1/auth/approle/role/vaultcourse | POST | Create an AppRole with specified policies |
3 | /v1/auth/approle/role/vaultcourse/role-id | GET | Retrieve the AppRole Role ID |
4 | /v1/auth/approle/role/vaultcourse/secret-id | POST | Generate the Secret ID |
5 | /v1/auth/approle/login | POST | Authenticate using Role ID and Secret ID |
Links and References
Watch Video
Watch video content