'vault login' vs 'vault write auth/approle/login'

4,460 views
Skip to first unread message

fr...@mode.net

unread,
Sep 14, 2018, 6:58:54 PM9/14/18
to Vault
Question 1:

https://www.vaultproject.io/docs/commands/login.html indicates that

vault login -method=approle

should work. It doesn't. Instead you have to 'write' to the login path, https://www.vaultproject.io/guides/identity/authentication.html#step-4-login-with-role-id-amp-secret-id

vault write auth/approle/login ...

In those linked docs, this is clearly referred to as "login", not some other similar but closely related thing, so why doesn't 'vault login' work with approle?

Question 2:

'vault login' creates ~/.vault-token.  'vault write' does not. If I manually populate .vault-token with the token value, subsequent commands work as expected, so clearly 'login' and 'write' to the auth path are equivalent functions, returning a token with policies attached.

I imagine that approle is designed for machine auth and in that use case, it usually isn't desirable (or maybe even possible) to create .vault-token. If that's the reasoning, it makes sense, and in that case, the documentation is very much lacking here. Please advise.

Joel Thompson

unread,
Sep 14, 2018, 8:19:02 PM9/14/18
to vault...@googlegroups.com
What version of Vault are you using on the command line? The docs are always for the newest version of Vault, and it's possible you're just using an older version of the binary. Also, can you post the error method you get when you try to run vault login?

--Joel

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/dee5f212-03aa-4db7-af37-ff348c0fbcd8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

fr...@mode.net

unread,
Sep 17, 2018, 4:15:05 PM9/17/18
to Vault
0.11.1 cli and server. I'm running the server in dev mode, in case that makes the difference.


$ ./vault auth enable approle
Success! Enabled approle auth method at: approle/
$ ./vault policy write jenkins jenkins-pol.hcl
Success! Uploaded policy: jenkins
$ ./vault write auth/approle/role/jenkins policies="jenkins"
Success! Data written to: auth/approle/role/jenkins
$ ./vault read auth/approle/role/jenkins/role-id
Key        Value
---        -----
role_id    1d451fe0-cfd2-49df-74a9-1c69acd7db80
$ ./vault write -f auth/approle/role/jenkins/secret-id
Key                   Value
---                   -----
secret_id             9ac9e3f1-7cff-cbf4-3bf1-183385bbe01a
secret_id_accessor    0541b0db-0bae-721d-3381-b5567ccda5cd
$ ./vault auth list
Path        Type       Accessor                 Description
----        ----       --------                 -----------
approle/    approle    auth_approle_e6a2edda    n/a
token/      token      auth_token_1395ef55      token based credentials

That user possesses the server Root Token (in .vault-token). The very first command (vault auth enable) magically populated it. So, for a different user:

$ ls .vault-token
ls: cannot access .vault-token: No such file or directory
$ /tmp/vault write -field=token auth/approle/login role_id=1d451fe0-cfd2-49df-74a9-1c69acd7db80 secret_id=9ac9e3f1-7cff-cbf4-3bf1-183385bbe01a
439c4c6b-fcf2-3ed3-74f7-6b7d3fe41980
$ ls .vault-token
ls: cannot access .vault-token: No such file or directory
$ /tmp/vault login -method=approle
Unknown auth method: approle. Use "vault auth list" to see the complete list
of auth methods. Additionally, some auth methods are only available via the
HTTP API.
$ /tmp/vault auth list
Error listing enabled authentications: Error making API request.

Code: 400. Errors:

* missing client token
$ VAULT_TOKEN=439c4c6b-fcf2-3ed3-74f7-6b7d3fe41980 /tmp/vault auth list
Error listing enabled authentications: Error making API request.

Code: 403. Errors:

* 1 error occurred:

* permission denied 
### with the root token: 
$ VAULT_TOKEN=590b9070-5801-b76f-5363-b030c880020c /tmp/vault auth list
Path        Type       Accessor                 Description
----        ----       --------                 -----------
approle/    approle    auth_approle_e6a2edda    n/a
token/      token      auth_token_1395ef55      token based credentials

fr...@mode.net

unread,
Sep 17, 2018, 5:10:59 PM9/17/18
to Vault
irrelevant correction: it's not the first 'vault auth' command that sets the login token. starting the server in dev mode creates .vault-token.

Jeff Mitchell

unread,
Sep 17, 2018, 5:16:10 PM9/17/18
to Vault
On Fri, Sep 14, 2018 at 6:58 PM <fr...@mode.net> wrote:
> https://www.vaultproject.io/docs/commands/login.html indicates that
>
> vault login -method=approle
>
> should work. It doesn't. Instead you have to 'write' to the login path, https://www.vaultproject.io/guides/identity/authentication.html#step-4-login-with-role-id-amp-secret-id
>
> vault write auth/approle/login ...

Mistake in the guide. Approle has no CLI helper, so "vault write" must be used.

> 'vault login' creates ~/.vault-token. 'vault write' does not. If I manually populate .vault-token with the token value, subsequent commands work as expected, so clearly 'login' and 'write' to the auth path are equivalent functions, returning a token with policies attached.

They're not equivalent functions; login expects a token to be returned
and does other things related to it, including setting it as the local
client token.

Best,
Jeff

Jeff Mitchell

unread,
Sep 17, 2018, 5:18:01 PM9/17/18
to Vault
On Mon, Sep 17, 2018 at 5:15 PM Jeff Mitchell <je...@hashicorp.com> wrote:
> Mistake in the guide. Approle has no CLI helper, so "vault write" must be used.

Actually, not a mistake, the guide correctly uses "vault write".

The login command reference does not claim that approle is a supported
type for the command.

Best,
Jeff

fr...@mode.net

unread,
Sep 17, 2018, 5:41:25 PM9/17/18
to Vault
On Monday, September 17, 2018 at 2:18:01 PM UTC-7, Jeff Mitchell wrote:
The login command reference does not claim that approle is a supported
type for the command.

Indeed, it does not. However it implies that all methods are supported, by giving specific examples "such as", rather than a complete list, and by telling you to use 'vault auth list' to see what auth methods are enabled.

Anyway this answers my question. It's a (slight) documentation deficiency, not something I'm doing wrong.
Reply all
Reply to author
Forward
0 new messages