Enable an auth method
In this tutorial, you will explore authentication with Vault tokens and GitHub credentials.
Token authentication
Token authentication is automatically enabled. When you started the dev server,
the output displayed a root token. The Vault CLI read the root token from the
$VAULT_TOKEN
environment variable. This root token can perform
any operation within Vault because it is assigned the root
policy. One
capability is to create new tokens.
Create a new token.
Example output:
The token is created and the output describes this token a table of keys and
values. The created token
is displayed here as s.iyNUhq8Ov4hIAx6snw5mB2nL
.
This token is a child of the root token, and by default, it inherits the policies from its parent.
Token is the core authentication method. You can use the generated token to login with Vault, by copy and pasting it when prompted.
Example:
Create another token.
The token is created and displayed here as s.TsKT5ubouZ7TF26Eg7wNIl3k
. Each
token
that Vault creates is unique.
When a token is no longer needed it can be revoked.
Revoke the first token you created.
Example:
The token has been revoked.
An attempt to login with the revoked token will result in an error.
Revoking a token will also revoke all tokens that were created by the token.
GitHub authentication
Vault supports authentication methods for human operators. GitHub authentication enables a user to authenticate with Vault by providing their GitHub credentials and receive a Vault token.
Note
This authentication method, as described in the exercises, requires
that you have a GitHub profile, belong to a team in a GitHub organization, and
have generated a GitHub access token with the read:org
scope.
Enable the GitHub auth method.
The auth method is enabled and available at the path auth/github/
.
This auth method requires that you set a GitHub organization in the configuration. A GitHub organization maintains a list of users which you are allowing to authenticate with Vault.
Set the organization
for the github
authentication.
Now all users within the hashicorp
GitHub organization are able to
authenticate.
GitHub organizations can define teams. Each team may have access to different actions across all the repositories that the organization maintains. These teams may also need access to specific secrets within Vault.
Configure the GitHub engineering
team authentication to be granted the
default
and applications
policies.
The members of the GitHub engineering
team in the hashicorp
organization
will authenticate and are authorized with the default
and applications
policies.
Note
The applications policy is not yet defined in Vault. Vault still allows users to authenticate but produces a warning until that policy is defined.
Display all the authentication methods that Vault has enabled.
The output displays the github
and token
auth methods.
Learn more about the github auth method using help
.
The output displays an example of login with the github
method. This method
requires that the method be defined and that an operator provide a GitHub
personal access token.
Since you will attempt to login with an auth method, you should ensure that the VAULT_TOKEN
environment variable is not set for this shell session since its value will take precedence over any token you obtain from Vault.
Unset the environment variable.
Attempt to login with the github auth method.
When the GitHub personal access token is not provided to the command
the Vault CLI prompts the operator. If a valid GitHub personal access token is
provided then the operator logs in and the output displays a Vault token. The
operator can use the Vault token until it is revoked or its lifetime exceeds the
token_duration
.
Log back in with the root token.
Revoke all tokens generated the github
auth method.
All tokens generated by logins to the path auth/github
are revoked.
All authentication methods, except for the token auth method, can be disabled.
Disable the github
auth method.
All tokens generated by logins using this authentication method are revoked.
Because you have the VAULT_TOKEN
environment variable set, the CLI commands
will always use this value (the initial root token) unless the environment
variable gets unset or overwritten by another token value.
Next
In this tutorial you learned how users can authenticate with Vault tokens and the GitHub authentication method. Vault provides a variety of authentication methods for the human operators and machines.
Next, you will learn about authorization and how to define policies.