The approle auth method allows machines or apps to authenticate with
Vault-defined roles. The open design of AppRole enables a varied set of
workflows and configurations to handle large numbers of apps. This auth method
is oriented to automated workflows (machines and services), and is less useful
for human operators.
An "AppRole" represents a set of Vault policies and login constraints that must
be met to receive a token with those policies. The scope can be as narrow or
broad as desired. An AppRole can be created for a particular machine, or even
a particular user on that machine, or a service spread across machines. The
credentials required for successful login depend upon the constraints set on
the AppRole associated with the credentials.
Auth methods must be configured in advance before users or machines can
authenticate. These steps are usually completed by an operator or configuration
management tool.
RoleID is an identifier that selects the AppRole against which the other
credentials are evaluated. When authenticating against this auth method's login
endpoint, the RoleID is a required argument (via role_id) at all times. By
default, RoleIDs are unique UUIDs, which allow them to serve as secondary
secrets to the other credential information. However, they can be set to
particular values to match introspected information by the client (for
instance, the client's domain name).
SecretID is a credential that is required by default for any login (via
secret_id) and is intended to always be secret. (For advanced usage,
requiring a SecretID can be disabled via an AppRole's bind_secret_id
parameter, allowing machines with only knowledge of the RoleID, or matching
other set constraints, to fetch a token). SecretIDs can be created against an
AppRole either via generation of a 128-bit purely random UUID by the role
itself (Pull mode) or via specific, custom values (Push mode). Similarly to
tokens, SecretIDs have properties like usage-limit, TTLs and expirations.
If the SecretID used for login is fetched from an AppRole, this is operating in
Pull mode. If a "custom" SecretID is set against an AppRole by the client, it
is referred to as a Push mode. Push mode mimics the behavior of the deprecated
App-ID auth method; however, in most cases Pull mode is the better approach. The
reason is that Push mode requires some other system to have knowledge of the
full set of client credentials (RoleID and SecretID) in order to create the
entry, even if these are then distributed via different paths. However, in Pull
mode, even though the RoleID must be known in order to distribute it to the
client, the SecretID can be kept confidential from all parties except for the
final authenticating client by using Response Wrapping.
Push mode is available for App-ID workflow compatibility, which in some
specific cases is preferable, but in most cases Pull mode is more secure and
should be preferred.
role_id is a required credential at the login endpoint. AppRole pointed to by
the role_id will have constraints set on it. This dictates other required
credentials for login. The bind_secret_id constraint requires secret_id to
be presented at the login endpoint. Going forward, this auth method can support
more constraint parameters to support varied set of Apps. Some constraints will
not require a credential, but still enforce constraints for login. For
example, secret_id_bound_cidrs will only allow logins coming from IP addresses
belonging to configured CIDR blocks on the AppRole.
The following example demonstrates AppRole authentication with response
wrapping.
Go
Go
C#
package main
import("context""fmt""os"
vault "github.com/hashicorp/vault/api"
auth "github.com/hashicorp/vault/api-docs/auth/approle")// Fetches a key-value secret (kv-v2) after authenticating via AppRole.funcgetSecretWithAppRole()(string,error){
config := vault.DefaultConfig()// modify for more granular configuration
client, err := vault.NewClient(config)if err !=nil{return"", fmt.Errorf("unable to initialize Vault client: %w", err)}// A combination of a Role ID and Secret ID is required to log in to Vault// with an AppRole.// First, let's get the role ID given to us by our Vault administrator.
roleID := os.Getenv("APPROLE_ROLE_ID")if roleID ==""{return"", fmt.Errorf("no role ID was provided in APPROLE_ROLE_ID env var")}// The Secret ID is a value that needs to be protected, so instead of the// app having knowledge of the secret ID directly, we have a trusted orchestrator (https://learn.hashicorp.com/tutorials/vault/secure-introduction?in=vault/app-integration#trusted-orchestrator)// give the app access to a short-lived response-wrapping token (https://www.vaultproject.io/docs/concepts/response-wrapping).// Read more at: https://learn.hashicorp.com/tutorials/vault/approle-best-practices?in=vault/auth-methods#secretid-delivery-best-practices
secretID :=&auth.SecretID{FromFile:"path/to/wrapping-token"}
appRoleAuth, err := auth.NewAppRoleAuth(
roleID,
secretID,
auth.WithWrappingToken(),// Only required if the secret ID is response-wrapped.)if err !=nil{return"", fmt.Errorf("unable to initialize AppRole auth method: %w", err)}
authInfo, err := client.Auth().Login(context.TODO(), appRoleAuth)if err !=nil{return"", fmt.Errorf("unable to login to AppRole auth method: %w", err)}if authInfo ==nil{return"", fmt.Errorf("no auth info was returned after login")}// get secret
secret, err := client.Logical().Read("kv-v2/data/creds")if err !=nil{return"", fmt.Errorf("unable to read secret: %w", err)}
data, ok := secret.Data["data"].(map[string]interface{})if!ok {return"", fmt.Errorf("data type assertion failed: %T %#v", secret.Data["data"], secret.Data["data"])}// data map can contain more than one key-value pair,// in this case we're just grabbing one of them
key :="password"
value, ok := data[key].(string)if!ok {return"", fmt.Errorf("value type assertion failed: %T %#v", data[key], data[key])}return value,nil}
package main
import("context""fmt""os" vault "github.com/hashicorp/vault/api" auth "github.com/hashicorp/vault/api-docs/auth/approle")// Fetches a key-value secret (kv-v2) after authenticating via AppRole.funcgetSecretWithAppRole()(string,error){ config := vault.DefaultConfig()// modify for more granular configuration client, err := vault.NewClient(config)if err !=nil{return"", fmt.Errorf("unable to initialize Vault client: %w", err)}// A combination of a Role ID and Secret ID is required to log in to Vault// with an AppRole.// First, let's get the role ID given to us by our Vault administrator. roleID := os.Getenv("APPROLE_ROLE_ID")if roleID ==""{return"", fmt.Errorf("no role ID was provided in APPROLE_ROLE_ID env var")}// The Secret ID is a value that needs to be protected, so instead of the// app having knowledge of the secret ID directly, we have a trusted orchestrator (https://learn.hashicorp.com/tutorials/vault/secure-introduction?in=vault/app-integration#trusted-orchestrator)// give the app access to a short-lived response-wrapping token (https://www.vaultproject.io/docs/concepts/response-wrapping).// Read more at: https://learn.hashicorp.com/tutorials/vault/approle-best-practices?in=vault/auth-methods#secretid-delivery-best-practices secretID :=&auth.SecretID{FromFile:"path/to/wrapping-token"} appRoleAuth, err := auth.NewAppRoleAuth( roleID, secretID, auth.WithWrappingToken(),// Only required if the secret ID is response-wrapped.)if err !=nil{return"", fmt.Errorf("unable to initialize AppRole auth method: %w", err)} authInfo, err := client.Auth().Login(context.TODO(), appRoleAuth)if err !=nil{return"", fmt.Errorf("unable to login to AppRole auth method: %w", err)}if authInfo ==nil{return"", fmt.Errorf("no auth info was returned after login")}// get secret secret, err := client.Logical().Read("kv-v2/data/creds")if err !=nil{return"", fmt.Errorf("unable to read secret: %w", err)} data, ok := secret.Data["data"].(map[string]interface{})if!ok {return"", fmt.Errorf("data type assertion failed: %T %#v", secret.Data["data"], secret.Data["data"])}// data map can contain more than one key-value pair,// in this case we're just grabbing one of them key :="password" value, ok := data[key].(string)if!ok {return"", fmt.Errorf("value type assertion failed: %T %#v", data[key], data[key])}return value,nil}
usingSystem;usingSystem.Collections.Generic;usingSystem.IO;usingVaultSharp;usingVaultSharp.V1.AuthMethods;usingVaultSharp.V1.AuthMethods.AppRole;usingVaultSharp.V1.AuthMethods.Token;usingVaultSharp.V1.Commons;namespaceExamples{publicclassApproleAuthExample{conststring DefaultTokenPath ="../../../path/to/wrapping-token";/// <summary>/// Fetches a key-value secret (kv-v2) after authenticating to Vault via AppRole authentication/// </summary>publicstringGetSecretWithAppRole(){// A combination of a Role ID and Secret ID is required to log in to Vault with an AppRole.// The Secret ID is a value that needs to be protected, so instead of the app having knowledge of the secret ID directly,// we have a trusted orchestrator (https://learn.hashicorp.com/tutorials/vault/secure-introduction?in=vault/app-integration#trusted-orchestrator)// give the app access to a short-lived response-wrapping token (https://www.vaultproject.io/docs/concepts/response-wrapping).// Read more at: https://learn.hashicorp.com/tutorials/vault/approle-best-practices?in=vault/auth-methods#secretid-delivery-best-practicesvar vaultAddr = Environment.GetEnvironmentVariable("VAULT_ADDR");if(String.IsNullOrEmpty(vaultAddr)){thrownewSystem.ArgumentNullException("Vault Address");}var roleId = Environment.GetEnvironmentVariable("APPROLE_ROLE_ID");if(String.IsNullOrEmpty(roleId)){thrownewSystem.ArgumentNullException("AppRole Role Id");}// Get the path to wrapping token or fall back on default pathstring pathToToken =!String.IsNullOrEmpty(Environment.GetEnvironmentVariable("WRAPPING_TOKEN_PATH"))? Environment.GetEnvironmentVariable("WRAPPING_TOKEN_PATH"): DefaultTokenPath;string wrappingToken = File.ReadAllText(pathToToken);// placed here by a trusted orchestrator// We need to create two VaultClient objects for authenticating via AppRole. The first is for// using the unwrap utility. We need to initialize the client with the wrapping token.IAuthMethodInfo wrappedTokenAuthMethod =newTokenAuthMethodInfo(wrappingToken);var vaultClientSettingsForUnwrapping =newVaultClientSettings(vaultAddr, wrappedTokenAuthMethod);IVaultClient vaultClientForUnwrapping =newVaultClient(vaultClientSettingsForUnwrapping);// We pass null here instead of the wrapping token to avoid depleting its single usage// given that we already initialized our client with the wrapping tokenSecret<Dictionary<string,object>> secretIdData = vaultClientForUnwrapping.V1.System
.UnwrapWrappedResponseDataAsync<Dictionary<string,object>>(null).Result;var secretId = secretIdData.Data["secret_id"];// Grab the secret_id// We create a second VaultClient and initialize it with the AppRole auth method and our new credentials.IAuthMethodInfo authMethod =newAppRoleAuthMethodInfo(roleId, secretId.ToString());var vaultClientSettings =newVaultClientSettings(vaultAddr, authMethod);IVaultClient vaultClient =newVaultClient(vaultClientSettings);// We can retrieve the secret from VaultClientSecret<SecretData> kv2Secret =null;
kv2Secret = vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync(path:"/creds").Result;var password = kv2Secret.Data.Data["password"];return password.ToString();}}}
usingSystem;usingSystem.Collections.Generic;usingSystem.IO;usingVaultSharp;usingVaultSharp.V1.AuthMethods;usingVaultSharp.V1.AuthMethods.AppRole;usingVaultSharp.V1.AuthMethods.Token;usingVaultSharp.V1.Commons;namespaceExamples{publicclassApproleAuthExample{conststring DefaultTokenPath ="../../../path/to/wrapping-token";/// <summary>/// Fetches a key-value secret (kv-v2) after authenticating to Vault via AppRole authentication/// </summary>publicstringGetSecretWithAppRole(){// A combination of a Role ID and Secret ID is required to log in to Vault with an AppRole.// The Secret ID is a value that needs to be protected, so instead of the app having knowledge of the secret ID directly,// we have a trusted orchestrator (https://learn.hashicorp.com/tutorials/vault/secure-introduction?in=vault/app-integration#trusted-orchestrator)// give the app access to a short-lived response-wrapping token (https://www.vaultproject.io/docs/concepts/response-wrapping).// Read more at: https://learn.hashicorp.com/tutorials/vault/approle-best-practices?in=vault/auth-methods#secretid-delivery-best-practicesvar vaultAddr = Environment.GetEnvironmentVariable("VAULT_ADDR");if(String.IsNullOrEmpty(vaultAddr)){thrownewSystem.ArgumentNullException("Vault Address");}var roleId = Environment.GetEnvironmentVariable("APPROLE_ROLE_ID");if(String.IsNullOrEmpty(roleId)){thrownewSystem.ArgumentNullException("AppRole Role Id");}// Get the path to wrapping token or fall back on default pathstring pathToToken =!String.IsNullOrEmpty(Environment.GetEnvironmentVariable("WRAPPING_TOKEN_PATH"))? Environment.GetEnvironmentVariable("WRAPPING_TOKEN_PATH"): DefaultTokenPath;string wrappingToken = File.ReadAllText(pathToToken);// placed here by a trusted orchestrator// We need to create two VaultClient objects for authenticating via AppRole. The first is for// using the unwrap utility. We need to initialize the client with the wrapping token.IAuthMethodInfo wrappedTokenAuthMethod =newTokenAuthMethodInfo(wrappingToken);var vaultClientSettingsForUnwrapping =newVaultClientSettings(vaultAddr, wrappedTokenAuthMethod);IVaultClient vaultClientForUnwrapping =newVaultClient(vaultClientSettingsForUnwrapping);// We pass null here instead of the wrapping token to avoid depleting its single usage// given that we already initialized our client with the wrapping tokenSecret<Dictionary<string,object>> secretIdData = vaultClientForUnwrapping.V1.System
.UnwrapWrappedResponseDataAsync<Dictionary<string,object>>(null).Result;var secretId = secretIdData.Data["secret_id"];// Grab the secret_id// We create a second VaultClient and initialize it with the AppRole auth method and our new credentials.IAuthMethodInfo authMethod =newAppRoleAuthMethodInfo(roleId, secretId.ToString());var vaultClientSettings =newVaultClientSettings(vaultAddr, authMethod);IVaultClient vaultClient =newVaultClient(vaultClientSettings);// We can retrieve the secret from VaultClientSecret<SecretData> kv2Secret =null; kv2Secret = vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync(path:"/creds").Result;var password = kv2Secret.Data.Data["password"];return password.ToString();}}}
