HashiCorp Certified: Vault Associate Certification
Compare Authentication Methods
Demo Vault Authentication using the CLI
Learn how to authenticate to HashiCorp Vault using the CLI with various methods—Okta, AppRole, Userpass, token, and more. Follow these steps to obtain a Vault token and perform operations without re-entering credentials.
Auth Methods Overview
Auth Method | Command Example | Description |
---|---|---|
Okta | vault login -method=okta username=<email> | Authenticate via Okta SSO |
AppRole | vault write auth/approle/login role_id="ID" secret_id="SECRET" | Machine-to-machine auth using RoleID & SecretID |
Userpass | vault login -method=userpass username=<user> | Username/password authentication |
Token | vault login <token> | Directly supply an existing token |
1. Okta Authentication with Vault CLI
To log in using Okta, run:
PS C:\> vault login -method=okta [email protected]
Password (will be hidden):
After entering your password, you’ll see:
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. Future Vault requests will
automatically use this token.
Key Value
--- -----
token s.WVWlWxsVF9X6lXmhaJaKrYiz
token_accessor nHTiWyp513OXwT1bZNkZlBq4
token_duration 768h
token_renewable true
token_policies ["bryan" "default"]
identity_policies []
policies ["bryan" "default"]
token_meta_username [email protected]
Note
Vault stores this token in the helper file ($HOME/.vault-token
on Linux/macOS or C:\Users\<User>\.vault-token
on Windows). You can verify it with:
PS C:\> Get-Content $HOME\.vault-token
s.WVWlWxsVF9X6lXmhaJaKrYiz
2. Performing Vault Operations
Once authenticated, you can enable or disable auth methods, list policies, and perform other Vault operations without re-entering credentials:
PS C:\> vault auth enable aws
Success! Enabled aws auth method at: aws/
PS C:\> vault auth disable aws
Success! Disabled the auth method (if it existed) at: aws/
PS C:\> vault policy list
bryan
default
root
3. AppRole Authentication
AppRole requires both a Role ID and a Secret ID. Use this method for machine-to-machine authentication:
PS C:\> vault write auth/approle/login \
role_id="YOUR_ROLE_ID" \
secret_id="YOUR_SECRET_ID"
You’ll receive a token and metadata in a similar table format.
Warning
Keep your secret_id
secure and rotate it regularly. Do not commit your credentials to version control.
4. Userpass Authentication
For the built-in Userpass method, provide your username and password:
PS C:\> vault login -method=userpass username=bryan
Password (will be hidden):
Vault issues a token and stores it in the helper file for future CLI commands.
5. Direct Token Login
If you already have a valid Vault token, you can log in directly:
PS C:\> vault login s.wYWWXsVfF9X6lXhmaJaKrYiz
Success! You are now authenticated. The token information displayed below
is already stored in the token helper.
Future commands will use this token automatically. You can then enable another auth method, for example Azure:
PS C:\> vault auth enable azure
Success! Enabled azure auth method at: azure/
Next Steps & References
- Explore additional auth methods in the Vault Authentication Methods Docs.
- Learn more about AppRole: AppRole Authentication.
- Manage tokens and helpers: Vault Tokens.
You now have a solid understanding of using various authentication methods with the Vault CLI.
Watch Video
Watch video content