3.9 KiB
Identity and Authentication
Token Authentication
Setup VAULT_ADDR and VAULT_TOKEN environment variables to authenticate with Vault using a token.
Store the root token in 1Password and retrieve it when needed using CLI commands.
export OP_VAULT_TOKEN="op://Private/root Vault Koszewscy/password"
export VAULT_ADDR="https://vault.koszewscy.waw.pl" VAULT_TOKEN="${OP_VAULT_TOKEN}"
Then, run the vault using:
op run -- vault login $VAULT_TOKEN
1Password CLI will fetch the token from the specified path in your 1Password vault and replace the secret reference with the actual token value when executing the command. However, that method adds a delay due to the op run command.
Alternatively, you can directly set the VAULT_TOKEN environment variable by reading the token from 1Password:
export VAULT_TOKEN=$(op read "op://Private/root Vault Koszewscy/password")
With VAULT_TOKEN set, vault authenticates directly.
Userpass Authentication Method
Login with Userpass
Userpass authentication allows users to log in with a username and password.
vault login -method=userpass username="your-username"
The token is stored in a file located at ~/.vault-token by default. Although, the token file is secured with file permissions, it contains a plaintext token. Change the token time-to-live (TTL) to limit its validity period.
vault write auth/userpass/users/your-username max_token_ttl="12h" token_ttl="1h"
Limit the token's usage to known IP addresses for added security.
vault write auth/userpass/users/your-username token_bound_cidrs="192.168.2.0/24"
You can also set VAULT_TOKEN with the following command:
export VAULT_TOKEN=$(vault login -token-only -method=userpass username="your-username")
or a function like this:
function v_login() {
local VAULT_USERNAME=${1:-"your-username"}
vault login -format=json -method=userpass username="$VAULT_USERNAME" |
jq -r '.auth | [.client_token, .accessor] | @tsv' | read -r VAULT_TOKEN TOKEN_ACCESSOR
echo "Logged in as $VAULT_USERNAME (Token accessor: $TOKEN_ACCESSOR)"
export VAULT_TOKEN TOKEN_ACCESSOR
}
Note: The
-token-onlyis an equivalent of-field=token -no-storeoptions.
You can then use the TOKEN_ACCESSOR to look up token details without exposing the actual token.
vault token lookup -accessor $TOKEN_ACCESSOR
Use the vault token renew command to renew the token before it expires.
vault token renew
User Management
List all users:
vault list auth/userpass/users
Create a new user:
vault write auth/userpass/users/new-username password="new-password" policies="default"
Note: key="value" pairs may contain scalars or lists (comma-separated values).
Read user details:
vault read auth/userpass/users/username
Entities and Groups
Entities
Docs: https://developer.hashicorp.com/vault/api-docs/secret/identity/entity
List entities by id:
vault list identity/entity/id
or by name:
vault list identity/entity/name
Read entity details by id or by name:
vault read identity/entity/id/<entity-id>
vault read identity/entity/name/<entity-name>
vault write identity/entity name="entity-name" policies="default" metadata=key1=value1 metadata=key2=value2
Entity Aliases
Docs: https://developer.hashicorp.com/vault/api-docs/secret/identity/entity-alias