vault_client_auth_approle: Vault AppRole Authentication Configuration

Set up a vault_client_auth_approle object at a custom mount. For example, suppose you mounted the approle authentication backend at /approle-dev you might use ar <- vault$auth$approle2$custom_mount("/approle-dev") - this pattern is repeated for other secret and authentication backends. Usage:

custom_mount(mount)

Arguments:

• mount: String, indicating the path that the engine is mounted at.

This endpoint returns a list the existing AppRoles in the method. Usage:

role_list()

Creates a new AppRole or updates an existing AppRole. This endpoint supports both create and update capabilities. There can be one or more constraints enabled on the role. It is required to have at least one of them enabled while creating or updating a role. Usage:

role_write(role_name, bind_secret_id = NULL, secret_id_bound_cidrs = NULL,
      token_bound_cidrs = NULL, policies = NULL, secret_id_num_uses = NULL,
      secret_id_ttl = NULL, token_num_uses = NULL, token_ttl = NULL,
      token_max_ttl = NULL, period = NULL, enable_local_secret_ids = NULL,
      token_type = NULL)

Arguments:

• role_name: Name of the AppRole

• bind_secret_id: Require secret_id to be presented when logging in using this AppRole (boolean, default is TRUE).

• secret_id_bound_cidrs: Character vector of CIDR blocks; if set, specifies blocks of IP addresses which can perform the login operation.

• token_bound_cidrs: Character vector of if set, specifies blocks of IP addresses which can use the auth tokens generated by this role.

• policies: Character vector of policies set on tokens issued via this AppRole.

• secret_id_num_uses: Number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. A value of zero will allow unlimited uses.

• secret_id_ttl: Duration, after which any SecretID expires.

• token_num_uses: Number of times issued tokens can be used. A value of 0 means unlimited uses.

• token_ttl: Duration to set as the TTL for issued tokens and at renewal time.

• token_max_ttl: Duration, after which the issued token can no longer be renewed.

• period: A duration; when set, the token generated using this AppRole is a periodic token; so long as it is renewed it never expires, but the TTL set on the token at each renewal is fixed to the value specified here. If this value is modified, the token will pick up the new value at its next renewal.

• enable_local_secret_ids: Boolean, if TRUE, then the secret IDs generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later.

• token_type: The type of token that should be generated via this role. Can be service, batch, or default to use the mount's default (which unless changed will be service tokens).

Reads the properties of an existing AppRole. Usage:

role_read(role_name)

Arguments:

• role_name: Name of the AppRole

Deletes an existing AppRole from the method. Usage:

role_delete(role_name)

Arguments:

• role_name: Name of the AppRole to delete

Reads the RoleID of an existing AppRole. Usage:

role_id_read(role_name)

Arguments:

• role_name: Name of the AppRole

Updates the RoleID of an existing AppRole to a custom value. Usage:

role_id_write(role_name, role_id)

Arguments:

• role_name: Name of the AppRole (string)

• role_id: Value to be set as RoleID (string)

Generates and issues a new SecretID on an existing AppRole. Similar to tokens, the response will also contain a secret_id_accessor value which can be used to read the properties of the SecretID without divulging the SecretID itself, and also to delete the SecretID from the AppRole. Usage:

secret_id_generate(role_name, metadata = NULL, cidr_list = NULL, token_bound_cidrs = NULL)

Arguments:

• role_name: Name of the AppRole.

• metadata: Metadata to be tied to the SecretID. This should be a named list of key-value pairs. This metadata will be set on tokens issued with this SecretID, and is logged in audit logs in plaintext.

• cidr_list: Character vector CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. If bound_cidr_list is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.

• token_bound_cidrs: Character vector of CIDR blocks; if set, specifies blocks of IP addresses which can use the auth tokens generated by this SecretID. Overrides any role-set value but must be a subset.

Lists the accessors of all the SecretIDs issued against the AppRole. This includes the accessors for "custom" SecretIDs as well. Usage:

secret_id_list(role_name)

Arguments:

• role_name: Name of the AppRole

Reads out the properties of a SecretID. Usage:

secret_id_read(role_name, secret_id, accessor = FALSE)

Arguments:

• role_name: Name of the AppRole

• secret_id: Secret ID attached to the role

• accessor: Logical, if TRUE, treat secret_id as an accessor rather than a secret id.

Delete an AppRole secret ID Usage:

secret_id_delete(role_name, secret_id, accessor = FALSE)

Arguments:

• role_name: Name of the AppRole

• secret_id: Secret ID attached to the role

• accessor: Logical, if TRUE, treat secret_id as an accessor rather than a secret id.

Log into the vault using AppRole authentication. Normally you would not call this directly but instead use $login with method = "approle" and proving the role_id and secret_id arguments. This function returns a vault token but does not set it as the client token. Usage:

login(role_id, secret_id)

Arguments:

• role_id: RoleID of the AppRole

• secret_id: SecretID belonging to AppRole