Introduction
This article outlines the steps required to set up TOTP MFA using the userpass auth method. After setup, users should be prompted to enter a TOTP passcode from the issuer when logging in with the userpass auth method.
Prerequisites
- Multi-factor Authentication (MFA) requires Vault Enterprise
Procedure
1. Enable the userpass auth method:
vault auth enable userpass
2. Configure TOTP MFA with Vault as the issuer:
vault write sys/mfa/method/totp/my_totp issuer=Vault period=300 key_size=30 algorithm=SHA256 digits=6
3. Create a policy that gives access to secret through the MFA method created above:
vault policy write totp-policy -<<EOF
path "secret/foo" {
capabilities = ["read"]
mfa_methods = ["my_totp"]
}
EOF4. Create a user in the userpass auth method with the associated TOTP policy:
vault write auth/userpass/users/testuser password=testpassword policies=totp-policy
5. Authenticate with the userpass auth method:
vault write auth/userpass/login/testuser password=testpassword
6. Fetch the entity ID from the token. The caller identity is represented by the entity_id property of the token:
vault token lookup <token generated from the above command>
7. Generate a barcode and/or url to write a key using a third party key generator
vault write sys/mfa/method/totp/my_totp/admin-generate entity_id=<taken from the above command>
You can either use vault as generator of the key or any third party key generator. Once you have the key, you will be able to read secrets.
To use Vault as Generator of the key, follow the instructions here.
Note: MFA is applicable only to tokens that contain identity information. If you examine the token created by logging in with the userpass auth method, you will see the associated identity information.