Skip to contents

Vault Username/Password Authentication Configuration

Vault Username/Password Authentication Configuration

Details

Interact with vault's username/password authentication backend. This backend can be used to configure basic username+password authentication, suitable for human users. For more information, please see the vault documentation https://developer.hashicorp.com/vault/docs/auth/userpass

Super class

vaultr::vault_client_object -> vault_client_auth_userpass

Methods

Inherited methods


Method new()

Create a vault_client_userpass object. Not typically called by users.

Usage

vault_client_auth_userpass$new(api_client, mount)

Arguments

api_client

A vault_api_client object

mount

Mount point for the backend


Method custom_mount()

Set up a vault_client_auth_userpass object at a custom mount. For example, suppose you mounted the userpass authentication backend at /userpass2 you might use up <- vault$auth$userpass2$custom_mount("/userpass2") - this pattern is repeated for other secret and authentication backends.

Usage

vault_client_auth_userpass$custom_mount(mount)

Arguments

mount

String, indicating the path that the engine is mounted at.


Method write()

Create or update a user.

Usage

vault_client_auth_userpass$write(
  username,
  password = NULL,
  policies = NULL,
  ttl = NULL,
  max_ttl = NULL,
  bound_cidrs = NULL
)

Arguments

username

Username for the user

password

Password for the user (required when creating a user only)

policies

Character vector of policies for the user

ttl

The lease duration which decides login expiration

max_ttl

Maximum duration after which login should expire

bound_cidrs

Character vector of CIDRs. If set, restricts usage of the login and token to client IPs falling within the range of the specified CIDR(s).


Method read()

Reads the properties of an existing username.

Usage

vault_client_auth_userpass$read(username)

Arguments

username

Username to read


Method delete()

Delete a user

Usage

vault_client_auth_userpass$delete(username)

Arguments

username

Username to delete


Method update_password()

Update password for a user

Usage

vault_client_auth_userpass$update_password(username, password)

Arguments

username

Username for the user to update

password

New password for the user


Method update_policies()

Update vault policies for a user

Usage

vault_client_auth_userpass$update_policies(username, policies)

Arguments

username

Username for the user to update

policies

Character vector of policies for this user


Method list()

List users known to vault

Usage

vault_client_auth_userpass$list()


Method login()

Log into the vault using username/password authentication. Normally you would not call this directly but instead use $login with method = "userpass" and proving the username argument and optionally the password argument. This function returns a vault token but does not set it as the client token.

Usage

vault_client_auth_userpass$login(username, password = NULL)

Arguments

username

Username to authenticate with

password

Password to authenticate with. If omitted or NULL and the session is interactive, the password will be prompted for.

Examples

server <- vaultr::vault_test_server(if_disabled = message)
#> ...waiting for Vault to start
#> ...waiting for Vault to start
if (!is.null(server)) {
  root <- server$client()

  # The userpass authentication backend is not enabled by default,
  # so we need to enable it first
  root$auth$enable("userpass")

  # Then we can add users:
  root$auth$userpass$write("alice", "p4ssw0rd")

  # Create a new client and login with this user:
  alice <- vaultr::vault_client(
    addr = server$addr,
    login = "userpass",
    username = "alice",
    password = "p4ssw0rd")

  # (it is not recommended to login with the password like this as
  # it will end up in the command history, but in interactive use
  # you will be prompted securely for password)

  # Alice has now logged in and has only "default" policies
  alice$auth$token$lookup_self()$policies

  # (wheras our original root user has the "root" policy)
  root$auth$token$lookup_self()$policies
}
#> ok, duration: 2764800 s (~32d)
#> [1] "root"