The Vault website is being redesigned to help you find what you are looking for more effectively.
»Duo MFA
This page demonstrates the Duo MFA on ACL'd paths of Vault.
»Configuration
Enable the appropriate auth method:
Fetch the mount accessor for the enabled auth method:
The response will look like:
Configure Duo MFA:
Create a policy that gives access to secret through the MFA method created above:
Create a user. MFA works only for tokens that have identity information on them. Tokens created by logging in using auth methods will have the associated identity information. Create a user in the
userpass
auth method and authenticate against it:Create a login token:
Note that the CLI is not authenticated with the newly created token yet, we did not call
vault login
, instead we used the login API to simply return a token.Fetch the entity ID from the token. The caller identity is represented by the
entity_id
property of the token:Login as the user:
Read a secret to trigger a Duo push. This will be a blocking call until the push notification is either approved or declined: