Before begin, login with Vault using a root token.
Click on the command (
⮐) will automatically copy it into the terminal and execute it.
vault login root
A policy file,
jenkins.hcl is provided. This policy grants read-only permission on the
secret/data/myapp/* path. Execute the following command to create a policy named,
vault policy write jenkins jenkins.hcl
Create some test data at
vault kv put secret/myapp/db-config @data.json
Verify to see that test data was successfully created:
vault kv get secret/myapp/db-config
For the purpose of introducing the basics of AppRole, this guide walks you through a very simple scenario involving only two personas (admin and app).
Execute the following command to enable the
approle auth method:
vault auth enable approle
This enables the
approle at the
vault auth list
Create a role named
jenkins policy attached. (NOTE: This example creates a role which operates in pull
vault write auth/approle/role/jenkins token_policies="jenkins" \ token_ttl=1h token_max_ttl=4h
To view the
jenkins role details:
vault read auth/approle/role/jenkins
Key Value --- ----- ... token_max_ttl 4h token_no_default_policy false token_num_uses 0 token_period 0s token_policies [jenkins] token_ttl 1h token_type default
When a client authenticates as
jenkins role, the generated client token has a time-to-live (TTL) of 1 hour and it can be renewed for up to 4 hours of its first creation.