Demo Configuring Auth Methods using the CLI

In this guide, we’ll walk through how to manage HashiCorp Vault authentication methods (auth backends) using the Vault CLI. You’ll learn to enable, list, disable, tune, and interact with backends such as userpass and approle in a consistent, repeatable way.

Viewing Available Auth Subcommands

Start by inspecting the top-level vault auth command:

vault auth -h

To see commonly used subcommands:

You can also run:

vault auth help userpass
vault auth help approle

to get backend-specific guidance.

Enabling and Listing Auth Methods

1. Enable userpass at the Default Path

vault auth enable userpass
# Success! Enabled userpass auth method at: userpass/

Verify it’s enabled:

vault auth list
# Path      Type      Accessor
# ----      ----      ---------
# token/    token     auth_token_...
# userpass/ userpass  auth_userpass_...

2. Enable userpass on a Custom Path

vault auth enable -path=vault-course userpass
# Success! Enabled userpass auth method at: vault-course/

List both mounts:

vault auth list
# Path           Type      Accessor
# ----           ----      ---------
# token/         token     auth_token_...
# userpass/      userpass  auth_userpass_...
# vault-course/  userpass  auth_userpass_...

Disabling Auth Methods

1. Remove the Default userpass Mount

vault auth disable userpass
# Success! Disabled the auth method at: userpass/

Confirm removal:

vault auth list
# Path           Type      Accessor
# ----           ----      ---------
# token/         token     auth_token_...
# vault-course/  userpass  auth_userpass_...

2. Clean Up the Custom Mount

vault auth disable vault-course
# Success! Disabled the auth method at: vault-course/

Only the token backend remains:

vault auth list
# Path      Type   Accessor
# ----      ----   ---------
# token/    token  auth_token_...

Adding a Description When Mounting

Descriptions must be provided at mount time. Any existing mount must be disabled first.

vault auth disable userpass

vault auth enable \
  -path=bryan \
  -description="Local credentials for Vault access" \
  userpass
# Success! Enabled userpass auth method at: bryan/

Verify the description:

vault auth list
# Path   Type      Accessor             Description
# ----   ----      --------             -----------
# bryan/ userpass  auth_userpass_...     Local credentials for Vault access
# token/ token     auth_token_...        token based credentials

Tuning an Auth Method

Adjust the default lease TTL for tokens issued via the bryan mount:

vault auth tune \
  -default-lease-ttl=24h \
  bryan/
# Success! Tuned the auth method at: bryan/

Configuring the userpass Backend

Create a User in bryan

vault write auth/bryan/users/krausen \
  password=vault \
  policies=bryan
# Success! Data written to: auth/bryan/users/krausen

List and Read User Details

vault list auth/bryan/users
# Keys
# ----
vault read auth/bryan/users/krausen
# Key                     Value
# ---                     -----
# policies                [bryan]
# token_bound_cidrs       []
# token_policies          [bryan]
# token_ttl               0s
# token_type              default

Different backends accept different parameters—for example, approle uses role instead of users.

Example: Enabling and Configuring AppRole

1. Enable the AppRole Method

   vault auth enable approle
   # Success! Enabled approle auth method at: approle/
   

2. Create a Role with a 20-Minute Token TTL

   vault write auth/approle/role/bryan \
     token_ttl=20m \
     policies=bryan
   # Success! Data written to: auth/approle/role/bryan
   

Conclusion

You’ve learned how to:

• Enable and list Vault auth methods
• Disable mounts safely
• Add metadata (descriptions)
• Tune mount configurations
• Create and manage users in userpass
• Configure an AppRole backend

These CLI patterns apply to all Vault authentication backends—just adjust paths, parameters, and payloads to fit your use case.

Links and References

• Vault CLI Documentation
• Userpass Auth Method
• AppRole Auth Method