Difficulty: beginner
Estimated Time: 10 minutes



Before a client can interact with Vault, it must authenticate against an auth method. Auth methods perform authentication to verify the user or machine-supplied information. Some of the supported auth methods are targeted towards human users while others are targeted toward machines or apps. Upon authentication, a token is generated. This token is conceptually similar to a session ID on a website. The token may have attached policy, which is mapped at authentication time.

This scenario supplements the [AppRole Pull Authentication(https://learn.hashicorp.com/vault/identity-access-management/iam-authentication)) guide.

AppRole Auth Method

The approle auth method allows machines or apps to authenticate with Vault-defined roles.

This Katacoda scenario walks through the basics of AppRole auth method.

Vault AppRole Auth Method

Step 1 of 3

Enable and configure AppRole

Before begin, login with Vault using a root token.

Click on the command () will automatically copy it into the terminal and execute it.

vault login root

A policy file, jenkins.hcl is provided. This policy grants read-only permission on the secret/data/myapp/* path. Execute the following command to create a policy named, jenkins.

vault policy write jenkins jenkins.hcl

Create some test data at secret/myapp/db-config:

vault kv put secret/myapp/db-config @data.json

Verify to see that test data was successfully created:

vault kv get secret/myapp/db-config

Setup AppRole

For the purpose of introducing the basics of AppRole, this guide walks you through a very simple scenario involving only two personas (admin and app).

Execute the following command to enable the approle auth method:

vault auth enable approle

This enables the approle at the approle/ path.

vault auth list

Create a role named jenkins with jenkins policy attached. (NOTE: This example creates a role which operates in pull mode.)

vault write auth/approle/role/jenkins token_policies="jenkins" \
      token_ttl=1h token_max_ttl=4h

To view the jenkins role details:

vault read auth/approle/role/jenkins
Key                        Value
---                        -----
token_max_ttl              4h
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [jenkins]
token_ttl                  1h
token_type                 default

When a client authenticates as jenkins role, the generated client token has a time-to-live (TTL) of 1 hour and it can be renewed for up to 4 hours of its first creation.