Admin Token for AppRole in Hashicorp Vault
As suggested, root token should not be used, and it should be revoked immediately after used.
Root token
Follow the steps in page below to create a new root token and revoke it after used.
Generate a new root token for Hashicorp Vault
Admin token
For example, SSH secret engine, following admin policy can be created
vault policy write ssh-admin-policy - << EOF
# SSH secret engine
path "ssh-client-signer/sign/*" {
capabilities = ["create", "read", "update", "delete", "sudo", "list" ]
}
# Mount the AppRole auth method
path "sys/auth/approle" {
capabilities = [ "create", "read", "update", "delete", "sudo" ]
}
# Configure the AppRole auth method
path "sys/auth/approle/*" {
capabilities = [ "create", "read", "update", "delete" ]
}
# Create and manage roles
path "auth/approle/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
# Write ACL policies
path "sys/policies/acl/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
##### Add other requirement if required. For example
# Write test data
# Set the path to "secret/data/mysql/*" if you are running `kv-v2`
path "secret/mysql/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
EOF
Then create token under this policy
vault token create -field token -policy=ssh-admin-policy
The using this token follow the steps in page below:
Signed SSH Certificates using Hashicorp Vault in Practice
- Generate role_id and secret_id
- Login using role_id and secret_id
- Generate SSH policy token
- Use SSH policy token to generate signed public key
- Use the signed public key and private key to login to remote system
Renew token itself
To get renew token before expired, run following command
vault token renew
The expire time can be view using following command
vault token lookup
References
Tokens
AppRole Pull Authentication