Access secrets only by providing role-id in an approle setup?

baptistemm · May 25, 2021, 9:38am

I want, for a script that will be accessible to a various range of persons on defined machines, to use a approle and provide only in the script the role-id in this script limited to IP of these machines.

Based on the documentation, I did

vault write auth/approle/role/my-script \
    bind_secret_id=false \ # does not require secret_id 
    secret_id_bound_cidrs='x.x.x.x/x x.x.x.x/x' # limit the role use to known IPs

Now using HTTP I login but the server requires to pass a token, which does not make sense to me

curl http://vault/v1/auth/login -X POST -d '{ "role_id": "xxxx-xxxx-xxxx-xxxx-3a3741a4e4d8"}'
{"errors":["missing client token"]}

I don’t see the point of passing the token here, as actually I want to log in to actually get a client token.

Is it possible to login and access secret by just providing the approle role-id ?

vault version: 1.7.1

baptistemm · May 25, 2021, 11:46am

Ok, so the problem was between keyboard and chair, the login url was not correct

curl http://vault/v1/auth/login

must have been

curl http://vault/v1/auth/approle/login

Topic		Replies	Views
Token capabiliites for getting AppRole role-id and secret Vault	2	324	November 5, 2020
AppRole based authentication and reading secrets using role-id and secret-id Vault	12	2157	January 13, 2020
Approle - how to get secret-id only using API Calls Vault	2	1094	June 24, 2023
Approle auth method Vault	0	193	July 20, 2023
Is there some tutorials about delivering role id and secret id by trusted entity to app in AppRole auth? Vault	2	75	July 8, 2024

Access secrets only by providing role-id in an approle setup?

Related topics