vault/docs/Identity.md

# Identity and Authentication

## Token Authentication

Setup `VAULT_ADDR` and `VAULT_TOKEN` environment variables to authenticate with Vault using a token.

Store the root token in 1Password and retrieve it when needed using CLI commands.

```bash
export OP_VAULT_TOKEN="op://Private/root Vault Koszewscy/password"
export VAULT_ADDR="https://vault.koszewscy.waw.pl" VAULT_TOKEN="${OP_VAULT_TOKEN}"
```

Then, run the vault using:

```bash
op run -- vault login $VAULT_TOKEN
```

1Password CLI will fetch the token from the specified path in your 1Password vault and replace the secret reference with the actual token value when executing the command. However, that method adds a delay due to the `op run` command.

Alternatively, you can directly set the `VAULT_TOKEN` environment variable by reading the token from 1Password:

```bash
export VAULT_TOKEN=$(op read "op://Private/root Vault Koszewscy/password")
```

With VAULT_TOKEN set, `vault` authenticates directly.

## Userpass Authentication Method

### Login with Userpass

Userpass authentication allows users to log in with a username and password.

```bash
vault login -method=userpass username="your-username"
```

The token is stored in a file located at `~/.vault-token` by default. Although, the token file is secured with file permissions, it contains a plaintext token. Change the token time-to-live (TTL) to limit its validity period.

```bash
vault write auth/userpass/users/your-username max_token_ttl="12h" token_ttl="1h"
```

Limit the token's usage to known IP addresses for added security.

```bash
vault write auth/userpass/users/your-username token_bound_cidrs="192.168.2.0/24"
```

You can also set VAULT_TOKEN with the following command:

```bash
export VAULT_TOKEN=$(vault login -token-only -method=userpass username="your-username")
```

or a function like this:

```bash
function v_login() {
    local VAULT_USERNAME=${1:-"your-username"}
    vault login -format=json -method=userpass username="$VAULT_USERNAME" |
        jq -r '.auth | [.client_token, .accessor] | @tsv' | read -r VAULT_TOKEN TOKEN_ACCESSOR
    echo "Logged in as $VAULT_USERNAME (Token accessor: $TOKEN_ACCESSOR)"
    export VAULT_TOKEN TOKEN_ACCESSOR
}
```

> **Note:** The `-token-only` is an equivalent of `-field=token -no-store` options.

You can then use the `TOKEN_ACCESSOR` to look up token details without exposing the actual token.

```bash
vault token lookup -accessor $TOKEN_ACCESSOR
```

Use the `vault token renew` command to renew the token before it expires.

```bash
vault token renew
```

### User Management

List all users:

```bash
vault list auth/userpass/users
```

Create a new user:

```bash
vault write auth/userpass/users/new-username password="new-password" policies="default"
```

> **Note:** key="value" pairs may contain scalars or lists (comma-separated values).

Read user details:

```bash
vault read auth/userpass/users/username
```

## Entities and Groups

### Entities

Docs: [https://developer.hashicorp.com/vault/api-docs/secret/identity/entity](https://developer.hashicorp.com/vault/api-docs/secret/identity/entity)

List entities by id:

```bash
vault list identity/entity/id
```

or by name:

```bash
vault list identity/entity/name
```

[Read entity details by id](https://developer.hashicorp.com/vault/api-docs/secret/identity/entity#read-entity-by-id)
or [by name](https://developer.hashicorp.com/vault/api-docs/secret/identity/entity#read-entity-by-name):

```bash
vault read identity/entity/id/<entity-id>
vault read identity/entity/name/<entity-name>
```

[Create a new entity](https://developer.hashicorp.com/vault/api-docs/secret/identity/entity#create-an-entity):

```bash
vault write identity/entity name="entity-name" policies="default" metadata=key1=value1 metadata=key2=value2
```

### Entity Aliases

Docs: [https://developer.hashicorp.com/vault/api-docs/secret/identity/entity-alias](https://developer.hashicorp.com/vault/api-docs/secret/identity/entity-alias)