Vault AppRole Authentication Configuration
Vault AppRole Authentication Configuration
vaultr::vault_client_object
-> vault_client_auth_approle
Inherited methods
new()
Create a vault_client_approle
object. Not typically
called by users.
vault_client_auth_approle$new(api_client, mount)
api_client
A vault_api_client object
mount
Mount point for the backend
custom_mount()
Set up a vault_client_auth_approle
object at a
custom mount. For example, suppose you mounted the approle
authentication backend at /approle-dev
you might use ar <- vault$auth$approle2$custom_mount("/approle-dev")
- this pattern
is repeated for other secret and authentication backends.
vault_client_auth_approle$custom_mount(mount)
mount
String, indicating the path that the engine is mounted at.
role_list()
This endpoint returns a list the existing AppRoles in the method.
vault_client_auth_approle$role_list()
role_write()
Creates a new AppRole or updates an existing AppRole. This endpoint supports both create and update capabilities. There can be one or more constraints enabled on the role. It is required to have at least one of them enabled while creating or updating a role.
vault_client_auth_approle$role_write(
role_name,
bind_secret_id = NULL,
secret_id_bound_cidrs = NULL,
token_bound_cidrs = NULL,
policies = NULL,
secret_id_num_uses = NULL,
secret_id_ttl = NULL,
token_num_uses = NULL,
token_ttl = NULL,
token_max_ttl = NULL,
period = NULL,
enable_local_secret_ids = NULL,
token_type = NULL
)
role_name
Name of the AppRole
bind_secret_id
Require secret_id to be presented when
logging in using this AppRole (boolean, default is TRUE
).
secret_id_bound_cidrs
Character vector of CIDR blocks; if set, specifies blocks of IP addresses which can perform the login operation.
token_bound_cidrs
Character vector of if set, specifies blocks of IP addresses which can use the auth tokens generated by this role.
policies
Character vector of policies set on tokens issued via this AppRole.
secret_id_num_uses
Number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. A value of zero will allow unlimited uses.
secret_id_ttl
Duration, after which any SecretID expires.
token_num_uses
Number of times issued tokens can be used. A value of 0 means unlimited uses
token_ttl
Duration to set as the TTL for issued tokens and at renewal time.
token_max_ttl
Duration, after which the issued token can no longer be renewed.
period
A duration; when set, the token generated using this AppRole is a periodic token; so long as it is renewed it never expires, but the TTL set on the token at each renewal is fixed to the value specified here. If this value is modified, the token will pick up the new value at its next renewal.
enable_local_secret_ids
Boolean, if TRUE
, then the
secret IDs generated using this role will be cluster
local. This can only be set during role creation and once
set, it can't be reset later.
token_type
The type of token that should be generated
via this role. Can be service
, batch
, or default
to use
the mount's default (which unless changed will be service
tokens).
role_read()
Reads the properties of an existing AppRole.
vault_client_auth_approle$role_read(role_name)
role_name
Name of the AppRole
role_delete()
Deletes an existing AppRole from the method.
vault_client_auth_approle$role_delete(role_name)
role_name
Name of the AppRole to delete
role_id_read()
Reads the RoleID of an existing AppRole.
vault_client_auth_approle$role_id_read(role_name)
role_name
Name of the AppRole
role_id_write()
Updates the RoleID of an existing AppRole to a custom value.
vault_client_auth_approle$role_id_write(role_name, role_id)
role_name
Name of the AppRole (string)
role_id
Value to be set as RoleID (string)
secret_id_generate()
Generates and issues a new SecretID on an existing
AppRole. Similar to tokens, the response will also contain a
secret_id_accessor
value which can be used to read the
properties of the SecretID without divulging the SecretID
itself, and also to delete the SecretID from the AppRole.
vault_client_auth_approle$secret_id_generate(
role_name,
metadata = NULL,
cidr_list = NULL,
token_bound_cidrs = NULL
)
role_name
Name of the AppRole.
metadata
Metadata to be tied to the SecretID. This should be a named list of key-value pairs. This metadata will be set on tokens issued with this SecretID, and is logged in audit logs in plaintext.
cidr_list
Character vector CIDR blocks enforcing secret
IDs to be used from specific set of IP addresses. If
bound_cidr_list
is set on the role, then the list of CIDR
blocks listed here should be a subset of the CIDR blocks
listed on the role.
token_bound_cidrs
Character vector of CIDR blocks; if set, specifies blocks of IP addresses which can use the auth tokens generated by this SecretID. Overrides any role-set value but must be a subset.
secret_id_list()
Lists the accessors of all the SecretIDs issued against the AppRole. This includes the accessors for "custom" SecretIDs as well.
vault_client_auth_approle$secret_id_list(role_name)
role_name
Name of the AppRole
secret_id_read()
Reads out the properties of a SecretID.
vault_client_auth_approle$secret_id_read(
role_name,
secret_id,
accessor = FALSE
)
role_name
Name of the AppRole
secret_id
Secret ID attached to the role
accessor
Logical, if TRUE
, treat secret_id
as an
accessor rather than a secret id.
secret_id_delete()
Delete an AppRole secret ID
vault_client_auth_approle$secret_id_delete(
role_name,
secret_id,
accessor = FALSE
)
role_name
Name of the AppRole
secret_id
Secret ID attached to the role
accessor
Logical, if TRUE
, treat secret_id
as an
accessor rather than a secret id.
login()
Log into the vault using AppRole authentication.
Normally you would not call this directly but instead use
$login
with method = "approle"
and proving the role_id
and secret_id
arguments. This function returns a vault
token but does not set it as the client token.
vault_client_auth_approle$login(role_id, secret_id)
role_id
RoleID of the AppRole
secret_id
SecretID belonging to AppRole
Interact with vault's AppRole authentication backend. For more details about this, see the vault documentation at https://developer.hashicorp.com/vault/docs/auth/approle
vaultr::vault_client(addr = "https://localhost:8200")$auth$approle
Run the code above in your browser using DataLab