Interact with vault's AppRole authentication backend. For more details about this, see the vault documentation at https://www.vaultproject.io/docs/auth/approle.html
custom_mount
Set up a vault_client_auth_approle
object at a custom mount. For example, suppose you mounted the approle
authentication backend at /approle-dev
you might use ar <- vault$auth$approle2$custom_mount("/approle-dev")
- this pattern is repeated for other secret and authentication backends.
Usage:
custom_mount(mount)
Arguments:
mount
: String, indicating the path that the engine is mounted at.
role_list
This endpoint returns a list the existing AppRoles in the method. Usage:
role_list()
role_write
Creates a new AppRole or updates an existing AppRole. This endpoint supports both create and update capabilities. There can be one or more constraints enabled on the role. It is required to have at least one of them enabled while creating or updating a role. Usage:
role_write(role_name, bind_secret_id = NULL, secret_id_bound_cidrs = NULL, token_bound_cidrs = NULL, policies = NULL, secret_id_num_uses = NULL, secret_id_ttl = NULL, token_num_uses = NULL, token_ttl = NULL, token_max_ttl = NULL, period = NULL, enable_local_secret_ids = NULL, token_type = NULL)
Arguments:
role_name
: Name of the AppRole
bind_secret_id
: Require secret_id to be presented when logging in using this AppRole (boolean, default is TRUE
).
secret_id_bound_cidrs
: Character vector of CIDR blocks; if set, specifies blocks of IP addresses which can perform the login operation.
token_bound_cidrs
: Character vector of if set, specifies blocks of IP addresses which can use the auth tokens generated by this role.
policies
: Character vector of policies set on tokens issued via this AppRole.
secret_id_num_uses
: Number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. A value of zero will allow unlimited uses.
secret_id_ttl
: Duration, after which any SecretID expires.
token_num_uses
: Number of times issued tokens can be used. A value of 0 means unlimited uses.
token_ttl
: Duration to set as the TTL for issued tokens and at renewal time.
token_max_ttl
: Duration, after which the issued token can no longer be renewed.
period
: A duration; when set, the token generated using this AppRole is a periodic token; so long as it is renewed it never expires, but the TTL set on the token at each renewal is fixed to the value specified here. If this value is modified, the token will pick up the new value at its next renewal.
enable_local_secret_ids
: Boolean, if TRUE
, then the secret IDs generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later.
token_type
: The type of token that should be generated via this role. Can be service
, batch
, or default
to use the mount's default (which unless changed will be service tokens).
role_read
Reads the properties of an existing AppRole. Usage:
role_read(role_name)
Arguments:
role_name
: Name of the AppRole
role_delete
Deletes an existing AppRole from the method. Usage:
role_delete(role_name)
Arguments:
role_name
: Name of the AppRole to delete
role_id_read
Reads the RoleID of an existing AppRole. Usage:
role_id_read(role_name)
Arguments:
role_name
: Name of the AppRole
role_id_write
Updates the RoleID of an existing AppRole to a custom value. Usage:
role_id_write(role_name, role_id)
Arguments:
role_name
: Name of the AppRole (string)
role_id
: Value to be set as RoleID (string)
secret_id_generate
Generates and issues a new SecretID on an existing AppRole. Similar to tokens, the response will also contain a secret_id_accessor
value which can be used to read the properties of the SecretID without divulging the SecretID itself, and also to delete the SecretID from the AppRole.
Usage:
secret_id_generate(role_name, metadata = NULL, cidr_list = NULL, token_bound_cidrs = NULL)
Arguments:
role_name
: Name of the AppRole.
metadata
: Metadata to be tied to the SecretID. This should be a named list of key-value pairs. This metadata will be set on tokens issued with this SecretID, and is logged in audit logs in plaintext.
cidr_list
: Character vector CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. If bound_cidr_list
is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.
token_bound_cidrs
: Character vector of CIDR blocks; if set, specifies blocks of IP addresses which can use the auth tokens generated by this SecretID. Overrides any role-set value but must be a subset.
secret_id_list
Lists the accessors of all the SecretIDs issued against the AppRole. This includes the accessors for "custom" SecretIDs as well. Usage:
secret_id_list(role_name)
Arguments:
role_name
: Name of the AppRole
secret_id_read
Reads out the properties of a SecretID. Usage:
secret_id_read(role_name, secret_id, accessor = FALSE)
Arguments:
role_name
: Name of the AppRole
secret_id
: Secret ID attached to the role
accessor
: Logical, if TRUE
, treat secret_id
as an accessor rather than a secret id.
secret_id_delete
Delete an AppRole secret ID Usage:
secret_id_delete(role_name, secret_id, accessor = FALSE)
Arguments:
role_name
: Name of the AppRole
secret_id
: Secret ID attached to the role
accessor
: Logical, if TRUE
, treat secret_id
as an accessor rather than a secret id.
login
Log into the vault using AppRole authentication. Normally you would not call this directly but instead use $login
with method = "approle"
and proving the role_id
and secret_id
arguments. This function returns a vault token but does not set it as the client token.
Usage:
login(role_id, secret_id)
Arguments:
role_id
: RoleID of the AppRole
secret_id
: SecretID belonging to AppRole
# NOT RUN {
vaultr::vault_client(addr = "https://localhost:8200")$auth$approle
# }
Run the code above in your browser using DataLab