HashiCorp Certified: Vault Associate Certification
Compare Authentication Methods
Demo Vault Authentication using the API
In this guide, we’ll walk through how to authenticate to HashiCorp Vault via Okta and retrieve secrets using curl. The same pattern applies for other auth methods (e.g., GitHub, LDAP, AWS).
Prerequisites
| Requirement | Purpose |
|---|---|
| Vault server | Running locally at http://127.0.0.1:8200 |
| curl | Issue HTTP requests |
| jq (optional) | Pretty-print JSON |
Note
Installing jq is optional but recommended for readable JSON outputs.
1. Authenticate via Okta
First, create a JSON file named password.json containing your Okta password:
{
"password": "YourOktaPassword"
}
Next, send a login request. Replace [email protected] with your Okta username:
curl --request POST \
--data @password.json \
http://127.0.0.1:8200/v1/auth/okta/login/[email protected]
A successful login returns a client_token in the auth block:
{
"auth": {
"client_token": "s.yuA7WdiZFMr9ArIjtYX0VMY",
"policies": ["default","your-policy"],
"metadata": {"username":"[email protected]"},
"lease_duration":2764800,
"renewable":true
},
"lease_id":"",
"request_id":"05a0e2e2-879a-9d37-530c-aceedb831cd2"
}
For readable JSON, pipe the output to jq:
curl --request POST \
--data @password.json \
http://127.0.0.1:8200/v1/auth/okta/login/[email protected] \
| jq
Scroll to locate the client_token value.
2. Read a Secret from the KV Store
With your client_token, you can query Vault’s KV store. In this example, we read from secret/data/app01 (KV version 2):
curl --header "X-Vault-Token: s.yuA7WdiZFMr9ArIjtYX0VMY" \
http://127.0.0.1:8200/v1/secret/data/app01
A typical raw response looks like this:
{
"request_id":"9608f10d-2cb7-146e-4d28-c17bbbb92f07",
"data":{
"data":{"password":"Password1!"},
"metadata":{
"created_time":"2021-06-14T19:09:08.588706Z",
"version":1
}
}
}
For formatted output:
curl --header "X-Vault-Token: s.yuA7WdiZFMr9ArIjtYX0VMY" \
http://127.0.0.1:8200/v1/secret/data/app01 \
| jq
Which yields:
{
"request_id":"f30d4e94-8bb7-3336-c1b0-ccc46644153d",
"data":{
"data":{"password":"Password1!"},
"metadata":{
"created_time":"2021-06-14T19:09:08.5887067Z",
"version":1
}
}
}
Warning
Never expose your client_token in shared scripts or logs. Treat it like a password.
3. Summary of Endpoints
| Endpoint | Description | HTTP Method |
|---|---|---|
| /v1/auth/okta/login/{username} | Authenticate via Okta | POST |
| /v1/secret/data/{path} | Read secret from KV v2 | GET |
Conclusion
You have now:
- Authenticated to Vault using the Okta auth method.
- Extracted the
client_tokenfrom the API response. - Retrieved a secret from the KV secrets engine.
Reuse this pattern to create, update, or delete secrets and to interact with other Vault API endpoints.
Links and References
Watch Video
Watch video content