Easy question about Vault app-id authentication and creating a Vault Token

[Lars Sommer]

I think I have a basic misunderstanding of Vault app-id authentication despite reading...and reading and reading.

Here's my understanding:

1. Application passes app-ID and user-ID to Vault in a curl request (Can anyone tell me what this path is? I can't find a single page on it in the docs at all)
2. Vault responds with a Vault Token
3. Application then uses Vault Token to make credential requests against its policy 
4. Vault response with a randomly generated username/password combo
5. Application stores this as ENV or something for future use

Is there a page that documents this process with API endpoints? Can anyone set me straight? I am surprised to find this key piece of documentation lacking, or at least difficult to find if it exists.

[vishal nayak]

Hi Lars,

Documentation on the backend can be found here: https://www.vaultproject.io/docs/auth/app-id.html.

Unfortunately the API section is not documented for this backend.

But, this backend is very simple to use.

The CLI steps are here, which are also documented in the link above.

vault write auth/app-id/map/app-id/app1 value=policy1

vault write auth/app-id/map/user-id/user1 value=app1

vault write auth/app-id/login app_id=app1 user_id=user1

The API paths are indicated by the CLI examples itself.

Curl substitutes for the above commands look like this:

curl -XPOST "http://127.0.0.1:8200/v1/auth/app-id/map/app-id/app1" -H "X-Vault-Token:123" -d '{"value":"policy1"}'

curl -XPOST "http://127.0.0.1:8200/v1/auth/app-id/map/user-id/user1" -H "X-Vault-Token:123" -d '{"value":"app1"}'

curl -XPOST "http://127.0.0.1:8200/v1/auth/app-id/login" -H "X-Vault-token:123" -d '{"app_id":"app1", "user_id":"user1"}'

1. Application passes app-ID and user-ID to Vault in a curl request (Can anyone tell me what this path is? I can't find a single page on it in the docs at all)
2. Vault responds with a Vault Token

Correct. 

1. Application then uses Vault Token to make credential requests against its policy 

Correct. 

1. Vault response with a randomly generated username/password combo

This depends what credentials are requested by the application. The credentials may not be a username/password combo per-se. You can refer to the logical backends' documentation to know more about this: https://www.vaultproject.io/docs/secrets/index.html

1. Application stores this as ENV or something for future use

It is really up to the application to decide where to store and what to do with the credentials received.

Hope this helps!

Regards,

Vishal

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d747574c-f184-488b-8e63-571df0a4d4cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

vn

[Lars Sommer]

Vishal,

   Great reply and information- I only have one more: In all your examples, the VaultToken is already present. I am curious about how the application makes the call to Vault to *obtain* the VaultToken in the first place.

It has available only userID and applicationID, but I don't know how to get that token.

[vishal nayak]

Hi Lars,

This is a good question.

Vault is usually configured by an administrator and used by users/applications.

In this backend, there is a third entity as well, which the admin trusts.

1) vault write auth/app-id/map/app-id/app1 value=policy1

This is configured by an admin.

2) vault write auth/app-id/map/user-id/user1 value=app1

This is run by either an Admin/TrustedService who is "informed" of the unique "userId" (out-of-band, refer the docs) belonging to an application. The TrustedService is registering the user-id against the desired app.

For the above two commands to be run, the administrators and the trusted service will have a Vault token beforehand.

3) vault write auth/app-id/login app_id=app1 user_id=user1

For this, the curl substitute goes like this:

curl -XPOST "http://127.0.0.1:8200/v1/auth/app-id/login" -d '{"app_id":"app1", "user_id":"user1"}'

Notice that this path does not require a Vault token.

Sorry for confusing you with this earlier curl command with the Vault token (copy paste error).

This is an unauthenticated path, which the applications use to retrieve a Vault token.

Once the applications get a token, they can access Vault's resources that the token is authorized for.

If any such authorizations allows the token to request credentials from logical backends, applications can invoke appropriate commands of the logical backend, to get it.

Hope this helps!

Regards,

Vishal

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/439ef49c-5551-4c83-bcb0-6202a96c3251%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

vn

[Lars Sommer]

Wonderful information, thank you so much this gets me moving again. Really appreciate your time!

[Lars Sommer]

Hey Vishal,

   When I use the following, I am receiving a "Missing client token", which suggests I should already have some sort of token available.

[root@ip-10-5-100-169 ec2-user]# echo curl -X POST "http://10.5.100.206:8200/v1/auth/app-id/login" -d '{"app_id":"'"$VAULT_APP_ID"'", "user_id":"'"$VAULT_USER_ID"'"}'

curl -X POST http://10.5.100.206:8200/v1/auth/app-id/login -d {"app_id":"16", "user_id":"(User ID expanded properly)"}

[root@ip-10-5-100-169 ec2-user]# curl -X POST "http://10.5.100.206:8200/v1/auth/app-id/login" -d '{"app_id":"'"$VAULT_APP_ID"'", "user_id":"'"$VAULT_USER_ID"'"}'

{"errors":["missing client token"]}

Do you see any issues with what I have here?

[vishal nayak]

Hi Lars,

`auth/app-id/login` path should not require a client token since it is an unauthenticated path.

Which version of Vault are you using? Did all the previous calls to the backend succeed (enabling app-id, configuring the app-id and user-id)?

Regards,

Vishal

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/bd9f709b-9b51-40fb-8a3a-6768741bed04%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

vn

[Lars Sommer]

v.0.3.1 and yes, all other calls succeeded. 

[Lars Sommer]

I am a total liar, all calls are not succeeding, I was parsing the output incorrectly. I have other unrelated issues to fix. Sorry.

[vishal nayak]

Hi Lars,

Good to know!

It had left me scratching my head :)

Anyways, we strongly recommend always having Vault upgraded to the latest version. There has very been significant enhancements done to Vault since 0.3.1. Refer to the changelog here: https://github.com/hashicorp/vault/blob/master/CHANGELOG.md

Regards,

Vishal

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/99fb6a13-0fdf-489e-85d6-a56f04f38e0d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

vn