Vault AppRole Authentication Configuration
Source:R/vault_client_auth_approle.R
vault_client_auth_approle.Rd
Vault AppRole Authentication Configuration
Vault AppRole Authentication Configuration
Details
Interact with vault's AppRole authentication backend. For more details about this, see the vault documentation at https://developer.hashicorp.com/vault/docs/auth/approle
Super class
vaultr::vault_client_object
-> vault_client_auth_approle
Methods
Inherited methods
Method new()
Create a vault_client_approle
object. Not typically
called by users.
Usage
vault_client_auth_approle$new(api_client, mount)
Arguments
api_client
A vault_api_client object
mount
Mount point for the backend
Method custom_mount()
Set up a vault_client_auth_approle
object at a
custom mount. For example, suppose you mounted the approle
authentication backend at /approle-dev
you might use ar <- vault$auth$approle2$custom_mount("/approle-dev")
- this pattern
is repeated for other secret and authentication backends.
Method role_write()
Creates a new AppRole or updates an existing AppRole. This endpoint supports both create and update capabilities. There can be one or more constraints enabled on the role. It is required to have at least one of them enabled while creating or updating a role.
Usage
vault_client_auth_approle$role_write(
role_name,
bind_secret_id = NULL,
secret_id_bound_cidrs = NULL,
token_bound_cidrs = NULL,
policies = NULL,
secret_id_num_uses = NULL,
secret_id_ttl = NULL,
token_num_uses = NULL,
token_ttl = NULL,
token_max_ttl = NULL,
period = NULL,
enable_local_secret_ids = NULL,
token_type = NULL
)
Arguments
role_name
Name of the AppRole
bind_secret_id
Require secret_id to be presented when logging in using this AppRole (boolean, default is
TRUE
).secret_id_bound_cidrs
Character vector of CIDR blocks; if set, specifies blocks of IP addresses which can perform the login operation.
token_bound_cidrs
Character vector of if set, specifies blocks of IP addresses which can use the auth tokens generated by this role.
policies
Character vector of policies set on tokens issued via this AppRole.
secret_id_num_uses
Number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. A value of zero will allow unlimited uses.
secret_id_ttl
Duration, after which any SecretID expires.
token_num_uses
Number of times issued tokens can be used. A value of 0 means unlimited uses
token_ttl
Duration to set as the TTL for issued tokens and at renewal time.
token_max_ttl
Duration, after which the issued token can no longer be renewed.
period
A duration; when set, the token generated using this AppRole is a periodic token; so long as it is renewed it never expires, but the TTL set on the token at each renewal is fixed to the value specified here. If this value is modified, the token will pick up the new value at its next renewal.
enable_local_secret_ids
Boolean, if
TRUE
, then the secret IDs generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later.token_type
The type of token that should be generated via this role. Can be
service
,batch
, ordefault
to use the mount's default (which unless changed will be service tokens).
Method secret_id_generate()
Generates and issues a new SecretID on an existing
AppRole. Similar to tokens, the response will also contain a
secret_id_accessor
value which can be used to read the
properties of the SecretID without divulging the SecretID
itself, and also to delete the SecretID from the AppRole.
Usage
vault_client_auth_approle$secret_id_generate(
role_name,
metadata = NULL,
cidr_list = NULL,
token_bound_cidrs = NULL
)
Arguments
role_name
Name of the AppRole.
metadata
Metadata to be tied to the SecretID. This should be a named list of key-value pairs. This metadata will be set on tokens issued with this SecretID, and is logged in audit logs in plaintext.
cidr_list
Character vector CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. If
bound_cidr_list
is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.token_bound_cidrs
Character vector of CIDR blocks; if set, specifies blocks of IP addresses which can use the auth tokens generated by this SecretID. Overrides any role-set value but must be a subset.
Method secret_id_list()
Lists the accessors of all the SecretIDs issued against the AppRole. This includes the accessors for "custom" SecretIDs as well.
Examples
vaultr::vault_client(addr = "https://localhost:8200")$auth$approle
#> <vault: auth_approle>
#> Commands:
#> custom_mount(mount)
#> help()
#> login(role_id, secret_id)
#> role_delete(role_name)
#> role_id_read(role_name)
#> role_id_write(role_name, role_id)
#> role_list()
#> role_read(role_name)
#> role_write(role_name, bind_secret_id = NULL,
#> secret_id_bound_cidrs = NULL, token_bound_cidrs = NULL,
#> policies = NULL, secret_id_num_uses = NULL, secret_id_ttl = NULL,
#> token_num_uses = NULL, token_ttl = NULL, token_max_ttl = NULL,
#> period = NULL, enable_local_secret_ids = NULL, token_type = NULL)
#> secret_id_delete(role_name, secret_id, accessor = FALSE)
#> secret_id_generate(role_name, metadata = NULL, cidr_list = NULL,
#> token_bound_cidrs = NULL)
#> secret_id_list(role_name)
#> secret_id_read(role_name, secret_id, accessor = FALSE)