Vaultx.Auth.AppRole (Vaultx v0.7.0)

View Source

AppRole authentication method for HashiCorp Vault.

This module implements the AppRole authentication method for Vault, providing secure machine-to-machine authentication with comprehensive support for role-based access control, secret management, and enterprise features.

Features

  • Machine Authentication: Role ID and Secret ID-based authentication
  • Role Management: Support for role creation, updates, and deletion
  • Secret ID Management: Generate, list, and revoke secret IDs
  • CIDR Restrictions: IP address-based access control
  • Token Policies: Flexible policy assignment and management
  • Audit Integration: Comprehensive audit logging for security compliance
  • Enterprise Ready: Supports all Vault enterprise features

API Compliance

Fully implements HashiCorp Vault AppRole authentication:

Usage Examples

Basic Authentication

{:ok, auth_response} = Vaultx.Auth.AppRole.authenticate(%{
  role_id: "59d6d1ca-47bb-4e7e-a40b-8be3bc5a0ba8",
  secret_id: "84896a0c-1347-aa90-a4f6-aca8b7558780"
})

Authentication with Custom Mount Path

{:ok, auth_response} = Vaultx.Auth.AppRole.authenticate(%{
  role_id: "59d6d1ca-47bb-4e7e-a40b-8be3bc5a0ba8",
  secret_id: "84896a0c-1347-aa90-a4f6-aca8b7558780"
}, mount_path: "custom-approle")

Authentication with Additional Options

{:ok, auth_response} = Vaultx.Auth.AppRole.authenticate(%{
  role_id: "59d6d1ca-47bb-4e7e-a40b-8be3bc5a0ba8",
  secret_id: "84896a0c-1347-aa90-a4f6-aca8b7558780"
}, [
  mount_path: "approle",
  timeout: 30_000,
  retry_attempts: 3
])

Authentication without Secret ID (if bind_secret_id is false)

{:ok, auth_response} = Vaultx.Auth.AppRole.authenticate(%{
  role_id: "59d6d1ca-47bb-4e7e-a40b-8be3bc5a0ba8"
})

Vault Configuration

Before using this authentication method, configure it in Vault:

# Enable AppRole auth method
vault auth enable approle

# Create an AppRole
vault write auth/approle/role/my-role \
  token_policies="default,my-policy" \
  token_ttl=1h \
  token_max_ttl=4h \
  bind_secret_id=true

# Get the Role ID
vault read auth/approle/role/my-role/role-id

# Generate a Secret ID
vault write -f auth/approle/role/my-role/secret-id

Security Considerations

  • Store Role IDs and Secret IDs securely and separately
  • Use CIDR restrictions to limit access from specific IP ranges
  • Implement proper secret ID rotation policies
  • Monitor authentication events in Vault audit logs
  • Use least privilege principle for policy assignments
  • Consider using response wrapping for secret ID distribution
  • Regularly audit and rotate credentials