HashiCorp Certified: Vault Associate Certification
Compare Authentication Methods
Demo AppRole Auth Method
Welcome to this hands-on lab where we’ll configure the AppRole authentication method in HashiCorp Vault. By the end of this guide, you’ll be able to enable AppRole, create a role, and authenticate using a role_id and secret_id.
Prerequisites
- A running Vault server in development or production mode
- Vault CLI installed and configured (
vault loginwith a root or privileged token) - Basic familiarity with Vault policies and tokens
1. Check Enabled Auth Methods
List the authentication methods currently enabled in Vault:
vault auth list
Example output:
Path Type Accessor Description
---- ---- -------- -----------
token/ token auth_token_12345 token based credentials
Note
By default, Vault enables only the token auth method. You’ll add AppRole in the next step.
2. Enable AppRole
Enable AppRole at its default path (approle/):
vault auth enable approle
Expected response:
Success! Enabled approle auth method at: approle/
3. Create an AppRole
An AppRole ties Vault policies to applications or machines. Create a role named bryan that references the bryan policy and issues tokens valid for 20 minutes:
vault write auth/approle/role/bryan \
policies=bryan \
token_ttl=20m
Successful output:
Success! Data written to: auth/approle/role/bryan
Note
Adjust the token_ttl to match your security requirements. You can also set token_max_ttl to enforce a hard limit.
4. List AppRole Roles
Verify the roles available under the AppRole auth method:
vault list auth/approle/role
Example output:
Keys
----
bryan
5. Retrieve the Role ID
Each AppRole has a stable role_id. Fetch it with:
vault read auth/approle/role/bryan/role-id
Sample response:
Key Value
--- -----
role_id 2d7d168a-806b-520d-40b6-597841cf8d42
6. Generate a Secret ID
Every login requires a one-time secret_id. Create it now:
vault write -force auth/approle/role/bryan/secret-id
You’ll see output similar to:
Key Value
--- -----
secret_id fe323f09-72db-1a83-1846-a150b669686c
secret_id_accessor 2e69247f-568a-70dc-c2a5-45a262eefc87
secret_id_ttl 0s
Warning
The generated secret_id is sensitive and should be transmitted securely. Consider customizing secret_id_ttl or using CIDR restrictions.
7. Log In with AppRole
Use the role_id and secret_id to authenticate and receive a Vault token:
vault write auth/approle/login \
role_id=2d7d168a-806b-520d-40b6-597841cf8d42 \
secret_id=fe323f09-72db-1a83-1846-a150b669686c
Sample response:
Key Value
--- -----
token s.20UtHiDfKIehjDfgMuEDkzB8
token_accessor itew3hMdKQ6SAVNL38XZzB8
token_duration 20m
token_renewable true
token_policies ["bryan" "default"]
identity_policies []
policies ["bryan" "default"]
token_meta_role_name bryan
Note
When specifying parameters in the CLI, use underscores (role_id, secret_id). In API paths, hyphens appear in the endpoint (e.g., role-id, secret-id).
Summary
In this lab you have:
- Enabled the AppRole auth method
- Created a new role (
bryan) linked to a Vault policy - Retrieved the stable role_id for that role
- Generated a one-time secret_id
- Authenticated with AppRole to get a Vault token
You can now use this token for subsequent Vault operations, such as reading secrets or managing dynamic credentials.
Links and References
Watch Video
Watch video content