Enable AppRole
vault enable approle
Create role, and specify number of times SecretId can be used
vault write auth/approle/role/my-role secret_id_ttl=10m token_num_uses=10 token_ttl=20m token_max_ttl=30m secret_id_num_uses=40
Generate RoleId and SecretId
$ vault read auth/approle/role/my-role/role-id
Key Value
--- -----
role_id ec7...
$ vault write -f auth/approle/role/my-role/secret-id
Key Value
--- -----
secret_id 91...
secret_id_accessor cef8f7a1-72d0-9d50-e471-5d157f556da0
Validate this SecretId has 40 uses left:
# Create payload.json:
{
"secret_id": "91..."
}
$ curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data @payload.json $VAULT_ADDR/v1/auth/approle/role/my-role/secret-id/lookup | jq
{
"request_id": "667426b8-541d-3406-5a6c-a755dc7d82bc",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"cidr_list": [],
"creation_time": "2018-08-31T19:22:54.933746461Z",
"expiration_time": "2018-08-31T19:32:54.933746461Z",
"last_updated_time": "2018-08-31T19:22:54.933746461Z",
"metadata": {},
"secret_id_accessor": "cef8f7a1-72d0-9d50-e471-5d157f556da0",
"secret_id_num_uses": 40,
"secret_id_ttl": 600
},
"wrap_info": null,
"warnings": null,
"auth": null
}
Login using RoleId and SecretId
$ vault write auth/approle/login \
> role_id=ec7... \
> secret_id=91...
Validate that one of the uses of the SecretId has been registered:
$ curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data @payload.json $VAULT_ADDR/v1/auth/approle/role/my-role/secret-id/lookup | jq
{
"request_id": "057c3fe0-fb00-3114-9a75-f93983f288c4",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"cidr_list": [],
"creation_time": "2018-08-31T19:22:54.933746461Z",
"expiration_time": "2018-08-31T19:32:54.933746461Z",
"last_updated_time": "2018-08-31T19:28:02.081899789Z",
"metadata": {},
"secret_id_accessor": "cef8f7a1-72d0-9d50-e471-5d157f556da0",
"secret_id_num_uses": 39,
"secret_id_ttl": 600
},
"wrap_info": null,
"warnings": null,
"auth": null
}
Now let's change the config to only be 20 uses instead of the original 40:
vault write auth/approle/role/my-role secret_id_ttl=10m token_num_uses=10 token_ttl=20m token_max_ttl=30m secret_id_num_uses=20
Validate that existing SecretId number of uses left hasn't been changed:
$ curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data @payload.json $VAULT_ADDR/v1/auth/approle/role/my-role/secret-id/lookup | jq
{
"request_id": "057c3fe0-fb00-3114-9a75-f93983f288c4",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"cidr_list": [],
"creation_time": "2018-08-31T19:22:54.933746461Z",
"expiration_time": "2018-08-31T19:32:54.933746461Z",
"last_updated_time": "2018-08-31T19:28:02.081899789Z",
"metadata": {},
"secret_id_accessor": "cef8f7a1-72d0-9d50-e471-5d157f556da0",
"secret_id_num_uses": 39,
"secret_id_ttl": 600
},
"wrap_info": null,
"warnings": null,
"auth": null
}
Login again:
vault write auth/approle/login role_id=ec7... secret_id=91e...
Validate SecretId number of uses only decreased by one:
$ curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data @payload.json $VAULT_ADDR/v1/auth/approle/role/my-role/secret-id/lookup | jq
{
"request_id": "057c3fe0-fb00-3114-9a75-f93983f288c4",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"cidr_list": [],
"creation_time": "2018-08-31T19:22:54.933746461Z",
"expiration_time": "2018-08-31T19:32:54.933746461Z",
"last_updated_time": "2018-08-31T19:28:02.081899789Z",
"metadata": {},
"secret_id_accessor": "cef8f7a1-72d0-9d50-e471-5d157f556da0",
"secret_id_num_uses": 38,
"secret_id_ttl": 600
},
"wrap_info": null,
"warnings": null,
"auth": null
}