You created your first secret, learnedabout secrets engines and exploreddynamic secrets with the Vault serveryou started in development mode.
In this tutorial, you will explore authentication with Vault tokens and GitHubcredentials.
Token authentication is automatically enabled. When you started the dev server,the output displayed a root token. The Vault CLI read the root token from the$VAULT_TOKEN
environment variable. This root token can performany operation within Vault because it is assigned the root
policy. Onecapability is to create new tokens.
Create a new token.
$ vault token create
Example output:
Key Value--- -----token s.iyNUhq8Ov4hIAx6snw5mB2nLtoken_accessor maMfHsZfwLB6fi18Zenj3qh6token_duration ∞token_renewable falsetoken_policies ["root"]identity_policies []policies ["root"]
The token is created and the output describes this token a table of keys andvalues. The created token
is displayed here as s.iyNUhq8Ov4hIAx6snw5mB2nL
.
This token is a child of the root token, and by default, it inherits thepolicies from its parent.
Token is the core authentication method. You can use the generated token tologin with Vault, by copy and pasting it when prompted.
Example:
$ vault loginToken (will be hidden):Success! You are now authenticated. The token information displayed belowis already stored in the token helper. You do NOT need to run "vault login"again. Future Vault requests will automatically use this token.Key Value--- -----token s.iyNUhq8Ov4hIAx6snw5mB2nLtoken_accessor maMfHsZfwLB6fi18Zenj3qh6token_duration ∞token_renewable falsetoken_policies ["root"]identity_policies []policies ["root"]
Create another token.
$ vault token createKey Value--- -----token s.TsKT5ubouZ7TF26Eg7wNIl3ktoken_accessor b1d0curWHYqmgCndk0G1cM6Rtoken_duration ∞token_renewable falsetoken_policies ["root"]identity_policies []policies ["root"]
The token is created and displayed here as s.TsKT5ubouZ7TF26Eg7wNIl3k
. Eachtoken
that Vault creates is unique.
When a token is no longer needed it can be revoked.
Revoke the first token you created.
Example:
$ vault token revoke s.iyNUhq8Ov4hIAx6snw5mB2nLSuccess! Revoked token (if it existed)
The token has been revoked.
An attempt to login with the revoked token will result in an error.
$ vault loginToken (will be hidden):Error authenticating: error looking up token: Error making API request.URL: GET http://127.0.0.1:8200/v1/auth/token/lookup-selfCode: 403. Errors:* permission denied
Revoking a token will also revoke all tokens that were created by the token.
GitHub authentication
Vault supports authentication methodsfor human operators. GitHub authentication enables a user to authenticate withVault by providing their GitHub credentials and receive a Vault token.
Note This authentication method, as described in the exercises, requiresthat you have a GitHub profile, belong to a team in a GitHub organization, andhave generated a GitHub access token with the read:org
scope.
Enable the GitHub auth method.
$ vault auth enable githubSuccess! Enabled github auth method at: github/
The auth method is enabled and available at the path auth/github/
.
This auth method requires that you set a GitHub organization in theconfiguration. A GitHub organization maintains a list of users which you areallowing to authenticate with Vault.
Set the organization
for the github
authentication.
$ vault write auth/github/config organization=hashicorpSuccess! Data written to: auth/github/config
Now all users within the hashicorp
GitHub organization are able toauthenticate.
GitHub organizations can define teams. Each team may have access to differentactions across all the repositories that the organization maintains. Theseteams may also need access to specific secrets within Vault.
Configure the GitHub engineering
team authentication to be granted thedefault
and applications
policies.
$ vault write auth/github/map/teams/engineering value=default,applicationsSuccess! Data written to: auth/github/map/teams/engineering
The members of the GitHub engineering
team in the hashicorp
organizationwill authenticate and are authorized with the default
and applications
policies.
Note The applications policy is not yet defined in Vault. Vault stillallows users to authenticate but produces a warning until that policy isdefined.
Display all the authentication methods that Vault has enabled.
$ vault auth listPath Type Description---- ---- -----------github/ github n/atoken/ token token based credentials
The output displays the github
and token
auth methods.
Learn more about the github auth method using help
.
$ vault auth help githubUsage: vault login -method=github [CONFIG K=V...] The GitHub auth method allows users to authenticate using a GitHub personal access token. Users can generate a personal access token from the settings page on their GitHub account. Authenticate using a GitHub token: $ vault login -method=github token=abcd1234## ...
The output displays an example of login with the github
method. This methodrequires that the method be defined and that an operator provide a GitHubpersonal access token.
Since you will attempt to login with an auth method, you should ensure that the VAULT_TOKEN
environment variable is not set for this shell session since its value will take precedence over any token you obtain from Vault.
Unset the environment variable.
$ unset VAULT_TOKEN
Attempt to login with the github auth method.
$ vault login -method=githubGitHub Personal Access Token (will be hidden):Success! You are now authenticated. The token information displayed belowis already stored in the token helper. You do NOT need to run "vault login"again. Future Vault requests will automatically use this token.Key Value--- -----token s.DNtKCjVQ1TxAzgMqtDuwjjC2token_accessor e7zLJuPg2tLpav66ZSu5AyDCtoken_duration 768htoken_renewable truetoken_policies [default applications]token_meta_org hashicorptoken_meta_username my-user
When the GitHub personal access token is not provided to the commandthe Vault CLI prompts the operator. If a valid GitHub personal access token isprovided then the operator logs in and the output displays a Vault token. Theoperator can use the Vault token until it is revoked or its lifetime exceeds thetoken_duration
.
Log back in with the root token.
$ vault login root
Revoke all tokens generated the github
auth method.
$ vault token revoke -mode path auth/github
All tokens generated by logins to the path auth/github
are revoked.
All authentication methods, except for the token auth method, can be disabled.
Disable the github
auth method.
$ vault auth disable githubSuccess! Disabled the auth method (if it existed) at: github/
All tokens generated by logins using this authentication method are revoked.
Because you have the VAULT_TOKEN
environment variable set, the CLI commandswill always use this value (the initial root token) unless the environmentvariable gets unset or overwritten by another token value.
In this tutorial you learned how users can authenticate with Vault tokens andthe GitHub authentication method. Vault provides a variety of authenticationmethods for the human operators andmachines.
Next, you will learn about authorization and how to define policies.