This is a brief guide to the concept and process of updating individual properties which comprise an AppRole role definition.
Certain properties within an AppRole role definition can be directly read, updated, or deleted through their property-specific API endpoints without the need to modify the role as an object.
The property specific endpoints take on the form: /v1/auth/approle/role/:role_name/:property_name
, and are available as follows:
- /v1/auth/approle/role/:role_name/policies
- /v1/auth/approle/role/:role_name/secret-id-num-uses
- /v1/auth/approle/role/:role_name/secret-id-ttl
- /v1/auth/approle/role/:role_name/token-ttl
- /v1/auth/approle/role/:role_name/token-max-ttl
- /v1/auth/approle/role/:role_name/bind-secret-id
- /v1/auth/approle/role/:role_name/bound-cidr-list
- /v1/auth/approle/role/:role_name/period
We will work with the API and the CLI throughout this guide using curl
and jq
.
Use Vault API
The first example shows how to update the bound_cidr_list property of an example role definition using the Vault API.
Read Existing Role Definition
Let’s begin by reading a previously specified role definition:
$ curl \
--silent \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request GET \
$VAULT_ADDR/v1/auth/approle/role/3e4deec2 \
| jq
{
"request_id": "1078edb3-5fed-a21d-18b7-53b76ebe33c9",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"bind_secret_id": true,
"bound_cidr_list": "10.1.42.0/24,10.1.44.0/24",
"period": 0,
"policies": [
"wildcard"
],
"secret_id_num_uses": 999999,
"secret_id_ttl": 2592000,
"token_max_ttl": 1512000,
"token_num_uses": 999999,
"token_ttl": 1296000
},
"wrap_info": null,
"warnings": null,
"auth": null
}
You’ll note that this role definition already contains a list of CIDRs as values for bound_cidr_list
.
Update Existing Role Definition Property
We’ll use the guidance from the Read, Update, or Delete AppRole Properties documentation to update only the bound_cidr_list property of the role to add a third CIDR, 10.1.40.0/24.
To avoid updating the entire role object, we access the property-specific /bound-cidr-list
API endpoint with a POST, like this:
$ curl \
--header "X-Vault-Token: d59d301f-4882-e845-ad86-2cf1556f773c" \
--request POST \
--data '{"bound_cidr_list": "10.1.42.0/24,10.1.44.0/24,10.1.40.0/24"}' \
$VAULT_ADDR/v1/auth/approle/role/3e4deec2/bound-cidr-list
You should expect nothing returned if the request is successful.
Verify Role Definition
Let’s check our work by reading the role again:
$ curl \
--silent \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request GET \
$VAULT_ADDR/v1/auth/approle/role/3e4deec2 \
| jq
{
"request_id": "03d2603d-e978-4bf1-9c95-08b356fdc96f",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"bind_secret_id": true,
"bound_cidr_list": "10.1.42.0/24,10.1.44.0/24,10.1.40.0/24",
"period": 0,
"policies": [
"wildcard"
],
"secret_id_num_uses": 999999,
"secret_id_ttl": 2592000,
"token_max_ttl": 1512000,
"token_num_uses": 999999,
"token_ttl": 1296000
},
"wrap_info": null,
"warnings": null,
"auth": null
Note the presence of the additional CIDR, demonstrating that our update was a success.
Using the CLI
This process can also be done via the Vault CLI, which will be briefly demonstrated following a similar process as the API example, except this time we will clear the value of the bound_cidr_list
by deleting it instead.
Read Existing Role Definition
We begin by reading the role definition:
$ vault read auth/approle/role/3e4deec2
Key Value
--- -----
bind_secret_id true
bound_cidr_list 10.1.42.0/24,10.1.44.0/24,10.1.40.0/24
period 0
policies [wildcard]
secret_id_num_uses 999999
secret_id_ttl 2592000
token_max_ttl 1512000
token_num_uses 999999
token_ttl 1296000
Notice that the value for bound_cidr_list currently contains a list of 3 CIDRs.
Delete Existing Role Definition Property
Let’s delete the property-specific path bound-cidr-list to clear the existing CIDRs without affecting the rest of the role definition:
$ vault delete auth/approle/role/3e4deec2/bound-cidr-list
Success! Deleted 'auth/approle/role/3e4deec2/bound-cidr-list' if it existed.
Verify Role Definition
Finally, we have a look at the results of the deletion by reading from the role definition again:
$ vault read auth/approle/role/3e4deec2
Key Value
--- -----
bind_secret_id true
bound_cidr_list
period 0
policies [wildcard]
secret_id_num_uses 999999
secret_id_ttl 2592000
token_max_ttl 1512000
token_num_uses 999999
token_ttl 1296000
The CIDRs have been cleared from bound_cidr_list.