Was the command vault login -method=approle role_id=$ROLE_ID secret_id=$SECRET_ID ever supported? It yields a misleading error message.
Unknown auth method: approle. Use "vault auth list" to see the complete list
of auth methods. Additionally, some auth methods are only available via the
HTTP API.
I later found that I would have to use this instead:
vault login $(vault write auth/approle/login \
role_id="$ROLE_ID" \
secret_id="$SECRET_ID" \
--format=json \
| jq -r .auth.client_token
)
Use this:
VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID)
You don’t need to do “vault login”.
Because you are a human, not a application ; application often use REST API.
I was doing a vault login with different credentials to test out the least-privilege limitations of policies, such as app_admin can write secrets, app_operator can read secrets.
For the vault cli, it seems I need to have an existing account with write priv on auth/approle/login to test the account?