Learn to configure and use Vault's AppRole auth method for application authentication.
Time to Complete: 20 minutes
Preview Mode: Use Cmd/Ctrl + Shift + V in VSCode to see a nicely formatted version of this lab!
- Create a Codespace from this repo (click the button below).
- Once the Codespace is running, open the integrated terminal.
- Follow the instructions in each lab to complete the exercises.
- Enable AppRole auth if not yet enabled:
# Log in with a valid token
vault login root
# Validate that AppRole is already enabled at the approle/ path
vault auth list- Create policy for the app:
vault policy write app-policy - <<EOF
path "secret/data/app/*" {
capabilities = ["read", "list"]
}
EOF- Create AppRole:
vault write auth/approle/role/my-app \
token_policies="app-policy" \
token_ttl=1h \
token_max_ttl=4h \
bind_secret_id=true- Get RoleID:
vault read auth/approle/role/my-app/role-id- Generate SecretID:
vault write -f auth/approle/role/my-app/secret-id- Write a secret to use for testing:
vault kv put secret/app/config db_conn=prod-db.krausen.io:3306- Login using AppRole:
vault write auth/approle/login \
role_id="<role_id>" \
secret_id="<secret_id>"- Test access with token:
# Store token
export VAULT_TOKEN="<token from login>"
# Test permissions
vault kv put secret/app/config api_key="test123" # Should fail (read-only)
vault kv get secret/app/config # Should work- Create AppRole with constraints:
vault write auth/approle/role/restricted-app \
token_policies="app-policy" \
secret_id_ttl=30m \
token_num_uses=10 \
secret_id_num_uses=1 \
token_ttl=20m- Generate and use one-time SecretID:
vault write -f auth/approle/role/restricted-app/secret-id
vault write auth/approle/login \
role_id="<restricted_role_id>" \
secret_id="<one_time_secret_id>"- Create new AppRole with:
- 1-hour token TTL
- Maximum 3 secret ID uses
- Token bound to CIDR blocks
- Test authentication
- Verify token restrictions
export VAULT_TOKEN="root"
vault auth disable approle
vault policy delete app-policy