AppRole Tutorial Step 5 - stuck, not successful

New user, first time using Vault. I have been trying to go through tutorial on AppRole (Step 5), but I have not been successful.

I was wondering, don’t we need to enabled kv first? And when we write the key, does it have to be admin, or can it be the same user; I am substituting dgraph for jenkins in the tutorial.

Q1: Thus wouldn’t we have to do something like this below?

vault secrets enable -version=2 -path=secret kv
vault kv put secret/data/dgraph enc_key=123456789012345

Q2: How could I do the above with curl, especially second line.

Q3: How could I get that key, what would the path be? /v1/secret/data/dgraph/enc_key?

It looks like you can’t activate a secret engine via API.

To write secrets via curl, see Create/Update Secret.

To read the secret in your example:

 curl \
  --header "X-Vault-Token: …" \

/v1/secret/data/ is the base path to access KV version 2 secrets, data/dgraph is the path of your secret, see Read Secret Version.

You can use the API to enable a secret mount - see here /sys/mounts - HTTP API | Vault | HashiCorp Developer

1 Like

@mikegreen Thanks! :tada:

I figured out the solution(s).

These are the steps I did to be aligned with best practices.

  1. Launch unsealed Vault server
  2. Enable AppRole Auth and KV Secrets (root token)
  3. Create the admin role with an attached policy (root token)
  4. Retrieve the admin token (admin role-id + secret-id)
  5. Create the app role with an attached policy (admin token)
  6. Save secrets (admin token)
  7. Retrieve the app token (app role id + secret-id)
  8. Verify access for app secrets (app token)
  9. Launch app with config for role-id + secret-id

What’s missing from the steps in the docs that made things unclear:

  • need to create kv secrets
  • cannot create secrets using app credentials, as tutorial has read/update priv, this has to be done with admin credentials
  • payload of secret for kv v1 vs kv v2

I documented the steps here: