Vault Username/Password Authentication Configuration
Source:R/vault_client_auth_userpass.R
vault_client_auth_userpass.RdVault Username/Password Authentication Configuration
Vault Username/Password Authentication Configuration
Details
Interact with vault's username/password authentication backend. This backend can be used to configure basic username+password authentication, suitable for human users. For more information, please see the vault documentation https://developer.hashicorp.com/vault/docs/auth/userpass
Super class
vaultr::vault_client_object -> vault_client_auth_userpass
Methods
Inherited methods
Method new()
Create a vault_client_userpass object. Not typically
called by users.
Usage
vault_client_auth_userpass$new(api_client, mount)Arguments
api_clientA vault_api_client object
mountMount point for the backend
Method custom_mount()
Set up a vault_client_auth_userpass object at a
custom mount. For example, suppose you mounted the
userpass authentication backend at /userpass2 you might
use up <- vault$auth$userpass2$custom_mount("/userpass2") -
this pattern is repeated for other secret and authentication
backends.
Method write()
Create or update a user.
Usage
vault_client_auth_userpass$write(
username,
password = NULL,
policies = NULL,
ttl = NULL,
max_ttl = NULL,
bound_cidrs = NULL
)Arguments
usernameUsername for the user
passwordPassword for the user (required when creating a user only)
policiesCharacter vector of policies for the user
ttlThe lease duration which decides login expiration
max_ttlMaximum duration after which login should expire
bound_cidrsCharacter vector of CIDRs. If set, restricts usage of the login and token to client IPs falling within the range of the specified CIDR(s).
Method login()
Log into the vault using username/password
authentication. Normally you would not call this directly
but instead use $login with method = "userpass" and
proving the username argument and optionally the password
argument. This function returns a vault token but does not
set it as the client token.
Examples
server <- vaultr::vault_test_server(if_disabled = message)
#> ...waiting for Vault to start
#> ...waiting for Vault to start
if (!is.null(server)) {
root <- server$client()
# The userpass authentication backend is not enabled by default,
# so we need to enable it first
root$auth$enable("userpass")
# Then we can add users:
root$auth$userpass$write("alice", "p4ssw0rd")
# Create a new client and login with this user:
alice <- vaultr::vault_client(
addr = server$addr,
login = "userpass",
username = "alice",
password = "p4ssw0rd")
# (it is not recommended to login with the password like this as
# it will end up in the command history, but in interactive use
# you will be prompted securely for password)
# Alice has now logged in and has only "default" policies
alice$auth$token$lookup_self()$policies
# (wheras our original root user has the "root" policy)
root$auth$token$lookup_self()$policies
}
#> ok, duration: 2764800 s (~32d)
#> [1] "root"