AppRole Auth Method

What Is AppRole?
Authentication Workflow
Configuration Workflow
Why Use AppRole for a Fleet of Web Servers?
AppRole Configuration Tips
Step-by-Step Guide
1. Enable the AppRole Auth Method
2. Create a Role
3. View Role Configuration
4. Retrieve the Role ID
5. Generate a Secret ID
6. Authenticate with AppRole (CLI)
7. Authenticate with AppRole (HTTP API)
Links and References

HashiCorp Vault’s AppRole auth method enables machines and automated pipelines to authenticate securely using a predefined role. Each AppRole consists of:

A static Role ID (like a username).
One or more Secret IDs (like one-time passwords).

Combining Role ID + Secret ID grants a Vault token, similar to how users log in with username and password.

AppRole is ideal for non-interactive workloads (CI/CD pipelines, containers, VMs) that require short-lived credentials.

What Is AppRole?

AppRole is a secrets-engine authentication method in Vault. It’s commonly used when human interaction isn’t possible or desired. You:

Enable the approle auth method.
Create a role with policies, TTLs, and CIDR restrictions.
Distribute the static Role ID and dynamically generate Secret IDs.

Authentication Workflow

Vault Admin enables AppRole and creates a role (e.g., hcvop).
Developer reads the static Role ID and bakes it into the container image.
CI/CD pipeline requests a new Secret ID (optionally wrapped).
Pipeline deploys the container, injecting Role ID + Secret ID.
Application logs in and receives a Vault token.

Configuration Workflow

Enable the AppRole auth method at a path (default or custom).
Create a role with policies, TTL settings, and CIDR restrictions.
Read the constant Role ID.
Generate a unique Secret ID at deployment time.

Why Use AppRole for a Fleet of Web Servers?

Multiple instances share the same Role ID but each receives a unique Secret ID. This approach:

Prevents credential sharing between workloads.
Enables single-workload revocation and auditing.

AppRole Configuration Tips

Use the table below to tune your AppRole role:

Parameter	Description
token_policies	Vault policies attached to the generated token (e.g., `web-app`).
token_ttl	Default TTL for tokens issued under this role (e.g., `1h`).
token_max_ttl	Maximum TTL users can renew tokens to (e.g., `24h`).
secret_id_ttl	Time-to-live for unused Secret IDs to limit exposure.
token_bound_cidrs	List of CIDR blocks from which the token is valid (e.g., `10.1.16.0/16`).
token_type	Token type (`service` or `batch`). Batch tokens cannot be renewed.

Step-by-Step Guide

1. Enable the AppRole Auth Method

# Default path: "approle"
vault auth enable approle

# Custom path: "hcvop"
vault auth enable -path=hcvop approle

2. Create a Role

vault write auth/approle/role/hcvop \
  token_policies=web-app \
  token_ttl=1h \
  token_max_ttl=24h \
  secret_id_ttl=24h \
  token_bound_cidrs="10.1.16.0/16" \
  token_type=batch

3. View Role Configuration

vault read auth/approle/role/hcvop

Sample output:

Key                    Value
---                    -----
token_policies         [web-app]
token_ttl              1h
token_max_ttl          24h
secret_id_ttl          24h
token_bound_cidrs      [10.1.16.0/16]
token_type             batch

4. Retrieve the Role ID

vault read auth/approle/role/hcvop/role-id

Key     Value
---     -----
role_id 22549d0d-147a-d6e2-fa2e-9cedd3b20977

5. Generate a Secret ID

secret_id is sensitive. Store or wrap it securely and avoid long-lived exposure.

vault write -f auth/approle/role/hcvop/secret-id

Key                Value
---                -----
secret_id          0514b3b1-e1ce-2741-0b57-ef836c29c7d3
secret_id_accessor da025e1f-7247-1888-218c-37382d31e98e
secret_id_ttl      24h

6. Authenticate with AppRole (CLI)

vault write auth/approle/login \
  role_id=22549d0d-147a-d6e2-fa2e-9cedd3b20977 \
  secret_id=0514b3b1-e1ce-2741-0b57-ef836c29c7d3

Sample response:

Key                   Value
---                   -----
token                 hvs.CAESIGjTXNY...
token_accessor        KmRLXSRBozhXo...
token_duration        24h
token_renewable       true
token_policies        ["default" "web-app"]
token_meta_role_name  hcvop

7. Authenticate with AppRole (HTTP API)

curl --request POST \
     --data '{"role_id":"22549d0d-147a-d6e2-fa2e-9cedd3b20977","secret_id":"0514b3b1-e1ce-2741-0b57-ef836c29c7d3"}' \
     https://vault.example.com:8200/v1/auth/approle/login | jq .

Sample JSON:

{
  "auth": {
    "client_token": "hvs.CAESIIJoCqiCpci...",
    "policies": ["default","web-app"],
    "metadata": {"role_name":"hcvop"},
    "lease_duration": 2764800,
    "renewable": true,
    "token_type": "service"
  }
}

Extract only the token:

curl --request POST \
     --data '{"role_id":"...","secret_id":"..."}' \
     https://vault.example.com:8200/v1/auth/approle/login \
  | jq -r '.auth.client_token'

That concludes the AppRole auth method guide. For human-centric authentication, explore the Userpass auth method.

Links and References

Watch Video

Enable and Configure Auth Methods

Demo AppRole Auth Method

⌘I

Introduction

Create a working Vault server configuration given a scenario

Monitor a Vault Environment

Employ the Vault Security Model

Build Fault Tolerant Vault Environments

Understand the Hardware Security Module HSM Integration

Scale Vault for Performance

Configure Access Control

Configure Vault Agent

Exam Experience and Expectations

AppRole Auth Method

What Is AppRole?

Authentication Workflow

Configuration Workflow

Why Use AppRole for a Fleet of Web Servers?

AppRole Configuration Tips

Step-by-Step Guide

1. Enable the AppRole Auth Method

2. Create a Role

3. View Role Configuration

4. Retrieve the Role ID

5. Generate a Secret ID

6. Authenticate with AppRole (CLI)

7. Authenticate with AppRole (HTTP API)

Links and References

Watch Video

Introduction

Create a working Vault server configuration given a scenario

Monitor a Vault Environment

Employ the Vault Security Model

Build Fault Tolerant Vault Environments

Understand the Hardware Security Module HSM Integration

Scale Vault for Performance

Configure Access Control

Configure Vault Agent

Exam Experience and Expectations

​What Is AppRole?

​Authentication Workflow

​Configuration Workflow

​Why Use AppRole for a Fleet of Web Servers?

​AppRole Configuration Tips

​Step-by-Step Guide

​1. Enable the AppRole Auth Method

​2. Create a Role

​3. View Role Configuration

​4. Retrieve the Role ID

​5. Generate a Secret ID

​6. Authenticate with AppRole (CLI)

​7. Authenticate with AppRole (HTTP API)

​Links and References

Watch Video

What Is AppRole?

Authentication Workflow

Configuration Workflow

Why Use AppRole for a Fleet of Web Servers?

AppRole Configuration Tips

Step-by-Step Guide

1. Enable the AppRole Auth Method

2. Create a Role

3. View Role Configuration

4. Retrieve the Role ID

5. Generate a Secret ID

6. Authenticate with AppRole (CLI)

7. Authenticate with AppRole (HTTP API)

Links and References