Approle and x-vault-token

Using UI and CLI tool, I am able to get the role_id. Now, I want to use the role_id in REST / CURL call to get the secret_id. It is asking for x-vault-token. How do I get this x-vault-token?

You’d need to authenticate to Vault using an existing token/auth method to generate the secret_id. Until you have the combination of a role_id and a secret_id, you don’t have a way to authenticate using AppRole.

Once you successfully authenticate using AppRole, Vault will return a token. You’ll need to grab the token from the Vault response in order to use it for subsequent requests.

Thanks for your response. I am able to login using LDAP authentication and run the following using CLI.

// Get role id
vault read auth/approle/role/irma-role/role-id
    Key     Value
    role_id b1e32157-8309-d5a2-02c9-657fc05977dc

// Get secret id
vault write -force auth/approle/role/irma-role/secret-id
    Key                Value                               
    secret_id          3cac8255-6f2d-e62f-fd0e-20bfe69a2dfe
    secret_id_accessor 8f811a56-d2c4-460c-8955-f2a18d8a2fdd

// Login using role id and secret id
vault write auth/approle/login role_id="b1e32157-8309-d5a2-02c9-657fc05977dc" secret_id="ea34790f-f8c4-5527-3951-4e51b8b6e620"

The above works great. But I need help in figuring out how to do using API. For example, how to I get the X-Vault-Token that the API is looking for while retrieving secret id?

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id

Do I have to create a token from CLI tool as an admin, and use it in X-Vault-Token? The API will be used by nightly batch jobs.

Yes, you need to obtain a token somehow, whether that’s creating a token by using vault token create or whether is authenticating with LDAP and grabbing the token that has been issued to you. This, of course, assumes that the resulting token has sufficient privileges to create the secret_id.

After authenticating in the CLI, you should see the token. If not, do a vault token lookup and you’ll see it. In the UI, it’s a bit different. You can click the picture icon in the top right and select Copy Token

The Copy Token in the UI has short TTL. Hence, the unattended applications are going to have issue. I ended up creating a token using ‘token create’ for a special policy that I crated. This policy gives the rights to create secret-id (path path “auth/approle/role/irma-role/secret-id” and capabilities = crate, update).

The above worked, but still facing short TTL with the client token. I need to adjust the TTL to get it to work. The token (client and not the Vault token) that I use in X-Vault-Token needs to persist so that I can get my secret-id. With role-id and secret-id, I can get the vault token, and eventually the secrets.

Thanks for your response.