Hashicorp Vault – Configure Authentification

There are many authentication methods for vault. This article descibes how to configure LDAP authentication and Userpass Authentication

LDAP Authentication:

The following command will configure LDAP to point at a domain controller named mydomaincontroller.mydomain.com. It will then search the search base for groups to the top of mydomain.com domain:

vault write auth/ldap/config url=”ldap://mydomaincontroller.mydomain.com:389″ userattr=sAMAccountName userdn=“dc=mydomain,dc=com” groupdn=“dc=mydomain,dc=com” groupfilter=”(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))” groupattr=”cn” upndomain=“mydomain.com” insecure_tls=false

After you have configured vault to use LDAP for authentication, you need to map the groups to policies. Here is an example of how to map the LDAP groups to the vault Policies:

vault write auth/ldap/groups/myvaultadgroup policies=myvaultpolicy

Userpass Authentication:

Create a user:
vault write auth/userpass/users/myusername password=mypassword policies=admins

Delete a user:
vault delete auth/userpass/users/username

Change user password:
vault write auth/userpass/users/myusername password=mypassword

Create user with random password and store password in cubbyhole:
mypass=”$(openssl rand -base64 16)”
echo -n $mypass | vault write secret/test password=-

vault write auth/userpass/users/test.user password=$mypass policies=admins

vault read -wrap-ttl=15m secret/test


Login using Userpass Authentication:
vault auth -method=userpass username=myusername password=mypassword

Login and have vault prompt for password:
vault auth -method=userpass username=myusername

Certificate Authentication

Vault supports using PEM certificates for authentication. However, it does not work with the verison of CURL built-in to OS X.

Creating Authentication Certificate:

Create folder to store files
create cert.conf file and populate with text below
Modify cert.conf to fill in all the fields under [ dn ]
<insert here>

Run the following commands and follow prompts:
openssl req -config cert.conf -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
openssl rsa -in key.pem -out key.insecure.pem

**In the next step be sure to replace “Your Name”, your.name, and policyname

Configure vault to accept authentication certificate
Run the following:

vault write auth/cert/certs/your.name display_name=”Your Name” policies=policyname certificate=@cert.pem ttl=3600


Authenticate using the authentication certificate vault
Run the following command:
vault auth -method=cert -client-cert=cert.pem -client-key=key.pem


Token Authentication:

No Prompt for token:
vault auth <token>
Prompt for Token:
vault auth