Introduction
The AppRole auth method allows machines or apps to authenticate with Vault-defined roles. The open design of AppRole enables a varied set of workflows and configurations to handle large numbers of apps. This auth method is oriented to automated workflows (machines and services), and is less useful for human operators.
The Auto-Auth AppRole method reads in a role ID and a secret ID from files and sends the values to the AppRole Auth method. The method caches values and it is safe to delete the role ID/secret ID files after they have been read. In fact, by default, after reading the secret ID, the agent will delete the file. New files or values written at the expected locations will be used on next authentication and the new values will be cached.
Pre-requisites
- This guide assumes you have already enabled the AppRole Auth Method with the necessary permissions on the Vault server with an active role ID and secret ID.
- Save the role ID and secret ID as a string to their own respective files. The configuration below assumes the files will reside under a directory named "approle".
Procedure
- Add the auto_auth and cache stanzas to the Vault agent (agent.hcl) configuration:
auto_auth {
method "approle" {
config = {
role_id_file_path = "approle/roleID"
# When "secret_id_response_wrapping_path" is enabled below, the agent expects the wrapping token in this file
secret_id_file_path = "approle/secretID"
# Use this for response wrapping set to the path of the approle secret ID path
secret_id_response_wrapping_path = "auth/approle/role/agentdemo/secret-id"
remove_secret_id_file_after_reading = true
}
}
sink "file" {
config = {
path = "approle/vault-token-via-agent"
}
}
}
cache {
use_auto_auth_token = true
} - On the sink server start the Vault agent with the following command:
$ vault agent -config=agent.hcl