Difficulty: beginner
Estimated Time: 10 minutes

Vault logo


Before a client can interact with Vault, it must authenticate against an auth method. Auth methods perform authentication to verify the user or machine-supplied information. Some of the supported auth methods are targeted towards human users while others are targeted toward machines or apps. Upon authentication, a token is generated. This token is conceptually similar to a session ID on a website. The token may have attached policy, which is mapped at authentication time.

This scenario supplements the [AppRole Pull Authentication(https://learn.hashicorp.com/vault/identity-access-management/iam-authentication)) guide.

AppRole Auth Method

The approle auth method allows machines or apps to authenticate with Vault-defined roles.

This Katacoda scenario walks through the basics of AppRole auth method.

Vault AppRole Auth Method

Step 1 of 3

Enable and configure AppRole

Before begin, login with Vault using a root token.

Click on the command () will automatically copy it into the terminal and execute it.

vault login root

A policy file, jenkins.hcl is provided. This policy grants read-only permission on the secret/data/myapp/* path. Execute the following command to create a policy named, jenkins.

vault policy write jenkins jenkins.hcl

Create some test data at secret/myapp/db-config:

vault kv put secret/myapp/db-config @data.json

Verify to see that test data was successfully created:

vault kv get secret/myapp/db-config

Setup AppRole

For the purpose of introducing the basics of AppRole, this guide walks you through a very simple scenario involving only two personas (admin and app).

Execute the following command to enable the approle auth method:

vault auth enable approle

This enables the approle at the approle/ path.

vault auth list

Create a role named jenkins with jenkins policy attached. (NOTE: This example creates a role which operates in pull mode.)

vault write auth/approle/role/jenkins token_policies="jenkins" \
      token_ttl=1h token_max_ttl=4h

To view the jenkins role details:

vault read auth/approle/role/jenkins
Key                        Value
---                        -----
token_max_ttl              4h
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [jenkins]
token_ttl                  1h
token_type                 default

When a client authenticates as jenkins role, the generated client token has a time-to-live (TTL) of 1 hour and it can be renewed for up to 4 hours of its first creation.

This tab will not be visible to users and provides only information to help authors when creating content.

Creating Katacoda Scenarios

Thanks for creating Katacoda scenarios. This tab is designed to help you as an author have quick access the information you need when creating scenarios.

Here are some useful links to get you started.

Running Katacoda Workshops

If you are planning to use Katacoda for workshops, please contact [email protected] to arrange capacity.

Debugging Scenarios

Below is the response from any background scripts run or files uploaded. This stream can aid debugging scenarios.

If you still need assistance, please contact [email protected]