HashiCorp Vault — Authentication Options
The second story will be about authentication methods of HashiCorp Vault. You can view the first story using the link below.
As you can see on the picture, HashiCorp Vault supports multiple authentication methods as out of box. This authentication methods come up with binary as bundle and you can have multiple authentication methods at the same time.
Authentication methods can be grouped as both internal and external. For instance authentication methods such as LDAP, Github, AWS IAM can be defined as external methods, while userpass and approle can be defined as internal methods.
All authentication methods are mounted as path in Vault architecture. Basically the main purpose of them is obtaining token from Vault. After this process client can access to allowed secrets via that token.
Category of authentication methods
We can evaluate authentication methods on Vault in certain categories,
Vault native auth metods : User Pass,AppRole and Token.
Cloud providers: Azure,AWS and GCP. This plugins come as builtin with binary. These providers use as target during authentication process.
Traditional authentication methods: Kerberos,LDAP or Radius
Cloud native authentication methods: Kubernetes,JWT,Github etc.
As you can see HashiCorp Vault supports various authentication methods. But the important part is decision of right authentication methods that fit your needs. So specifying your needs at the beginning will show you the right authentication methods.
How can I specify right authentication methods?
You can configure authentication methods via both CLI and Vault UI. The important thing is to determine the appropriate one.
You can specify your needs with asking some basic questions. Such as;
- Who will access to vault? Internal or external user?
- What is the common authentication methods that is currently used by users.? (Github or Active Directory?)
- What is the client type? (Human,application or machine?)
- Which access method will be used by clients?
With this basic questions, requirements can be specified easily. Because Vault provides us a wide range of authentication methods. For this reason, you can definitely find the right authentication method that suits you.
Managing authentication method by CLI
All authentication methods can be enabled under /sys/auth path. If you want to add a new one you should have required access permission to this path.
All enabled authentication methods have a name under under /sys/auth path. by default path name is the same with authentication method name but you can change it with your own.
The authentication methods that enabled on a path can’t migrate to another one but it can be deactivated. When you deactivate it all data will be removed. But don’t worry deactivated authentication methods can be activated again.
There are two main configuration options:
- Tune: It contains common authentication methods configurations. (for example description)
- Configuration: It contains specific configurations for each authentication methods.
Configuring Authentication Methods:
You can configure authentication methods both on CLI and Vault UI.
Let’s start with CLI first.
To keep example simple, I’m gonna use userpass authentication method. What I want to show is how can it be enabled, updated and deleted. I will also talk about others in future stories.
After Vault login process you can list enabled authentication methods using the command below.
vault auth list
The command lists enabled authentication methods. If you want to enable another one you should use the command below. You can specify custom path with “-path” parameter. If you don’t use this parameter authentication methods name is assigned as path name.
vault auth enable [options] TYPE
After enable process you can update it with two type of configuration options.
First let’s use the tune option to configure common configs. So in the following example I’m gonna update description field of authentication method.
vault auth tune [options] PATH
As you can see we’ve updated description field using the tune command.
Now let’s try to configure it using the “write” command. (For configuration option we can create a new user login credentials on userpass authentication method.)
Finally if you want to disable an authentication method via CLI you can use the command below. This process also will delete the data that has written on authentication method path.
vault auth disable [options] PATH
By the way it is possible to perform all of these operations via the vault UI.
Conclusion
There are multiple authentication methods as builtin feature on HashiCorp Vault. With asking right question you can easily specify and enable right one for your needs. Authentication methods can be configure either CLI or Vault UI. But when you disabled it, it deletes all information.
Resources:
