Access secrets only by providing role-id in an approle setup?

I want, for a script that will be accessible to a various range of persons on defined machines, to use a approle and provide only in the script the role-id in this script limited to IP of these machines.

Based on the documentation, I did

vault write auth/approle/role/my-script \
    bind_secret_id=false \ # does not require secret_id 
    secret_id_bound_cidrs='x.x.x.x/x x.x.x.x/x' # limit the role use to known IPs

Now using HTTP I login but the server requires to pass a token, which does not make sense to me

curl http://vault/v1/auth/login -X POST -d '{ "role_id": "xxxx-xxxx-xxxx-xxxx-3a3741a4e4d8"}'
{"errors":["missing client token"]}

I don’t see the point of passing the token here, as actually I want to log in to actually get a client token.

Is it possible to login and access secret by just providing the approle role-id ?

vault version: 1.7.1

1 Like

Ok, so the problem was between keyboard and chair, the login url was not correct

curl http://vault/v1/auth/login

must have been

curl http://vault/v1/auth/approle/login