AppRole auth method (API)
This is the API documentation for the Vault AppRole auth method. For general information about the usage and operation of the AppRole method, please see the Vault AppRole method documentation.
This documentation assumes the AppRole method is mounted at the /auth/approle
path in Vault. Since it is possible to enable auth methods at any location, please update your API calls accordingly.
List roles
This endpoint returns a list the existing AppRoles in the method.
LIST
/auth/approle/role
Sample request
Sample response
Create/Update AppRole
Creates a new AppRole or updates an existing AppRole. This endpoint supports both create
and update
capabilities. There can be one or more constraints enabled on the role. It is required to have at least one of them enabled while creating or updating a role.
POST
/auth/approle/role/:role_name
Parameters
role_name
(string: <required>)
- Name of the AppRole. Must be less than 4096 bytes, accepted characters include a-Z, 0-9, space, hyphen, underscore and periods.bind_secret_id
(bool: true)
- Requiresecret_id
to be presented when logging in using this AppRole.secret_id_bound_cidrs
(array: [])
- Comma-separated string or list of CIDR blocks; if set, specifies blocks of IP addresses which can perform the login operation.secret_id_num_uses
(integer: 0)
- Number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID by default will expire. A value of zero will allow unlimited uses. However, this option may be overridden by the request's 'num_uses' field when generating a SecretID.secret_id_ttl
(string: "")
- Duration in either an integer number of seconds (3600
) or an integer time unit (60m
) after which by default any SecretID expires. A value of zero will allow the SecretID to not expire. However, this option may be overridden by the request's 'ttl' field when generating a SecretID.local_secret_ids
(bool: false)
- If set, the secret IDs generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later.
@include 'tokenfields.mdx'
Sample payload
Sample request
Read AppRole
Reads the properties of an existing AppRole.
GET
/auth/approle/role/:role_name
Parameters
role_name
(string: <required>)
- Name of the AppRole. Must be less than 4096 bytes.
Sample request
Sample response
Delete AppRole
Deletes an existing AppRole from the method.
DELETE
/auth/approle/role/:role_name
Parameters
role_name
(string: <required>)
- Name of the AppRole. Must be less than 4096 bytes.
Sample request
Read AppRole role ID
Reads the RoleID of an existing AppRole.
GET
/auth/approle/role/:role_name/role-id
Parameters
role_name
(string: <required>)
- Name of the AppRole. Must be less than 4096 bytes.
Sample request
Sample response
Update AppRole role ID
Updates the RoleID of an existing AppRole to a custom value.
POST
/auth/approle/role/:role_name/role-id
Parameters
role_name
(string: <required>)
- Name of the AppRole. Must be less than 4096 bytes.role_id
(string: <required>)
- Value to be set as RoleID.
Sample payload
Sample request
Sample response
Generate new secret ID
Generates and issues a new SecretID on an existing AppRole. Similar to tokens, the response will also contain a secret_id_accessor
value which can be used to read the properties of the SecretID without divulging the SecretID itself, and also to delete the SecretID from the AppRole.
POST
/auth/approle/role/:role_name/secret-id
Parameters
role_name
(string: <required>)
- Name of the AppRole. Must be less than 4096 bytes.metadata
(string: "")
- Metadata to be tied to the SecretID. This should be a JSON-formatted string containing the metadata in key-value pairs. This metadata will be set on tokens issued with this SecretID, and is logged in audit logs in plaintext.cidr_list
(array: [])
- Comma separated string or list of CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. Ifsecret_id_bound_cidrs
is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.token_bound_cidrs
(array: [])
- Comma-separated string or list of CIDR blocks; if set, specifies blocks of IP addresses which can use the auth tokens generated by this SecretID. Overrides any role-set value but must be a subset.num_uses
(integer: 0)
- Number of times this SecretID can be used, after which the SecretID expires. A value of zero will allow unlimited uses. Overrides secret_id_num_uses role option when supplied. May not be higher than role's secret_id_num_uses.ttl
(string: "")
- Duration in seconds (3600
) or an integer time unit (60m
) after which this SecretID expires. A value of zero will allow the SecretID to not expire. Overrides secret_id_ttl role option when supplied. May not be longer than role's secret_id_ttl.
Sample payload
Sample request
Sample response
List secret ID accessors
Lists the accessors of all the SecretIDs issued against the AppRole. This includes the accessors for "custom" SecretIDs as well.
LIST
/auth/approle/role/:role_name/secret-id
Parameters
role_name
(string: <required>)
- Name of the AppRole. Must be less than 4096 bytes.
Sample request
Sample response
Read AppRole secret ID
Reads out the properties of a SecretID.
POST
/auth/approle/role/:role_name/secret-id/lookup
Parameters
role_name
(string: <required>)
- Name of the AppRole. Must be less than 4096 bytes.secret_id
(string: <required>)
- Secret ID attached to the role.
Sample payload
Sample request
Sample Response
Destroy AppRole Secret ID
Destroy an AppRole secret ID.
POST
/auth/approle/role/:role_name/secret-id/destroy
Parameters
role_name
(string: <required>)
- Name of the AppRole. Must be less than 4096 bytes.secret_id
(string: <required>)
- Secret ID attached to the role.
Sample payload
Sample request
Read AppRole secret ID accessor
Reads out the properties of a SecretID.
POST
/auth/approle/role/:role_name/secret-id-accessor/lookup
Parameters
role_name
(string: <required>)
- Name of the AppRole. Must be less than 4096 bytes.secret_id_accessor
(string: <required>)
- Secret ID accessor attached to the role.
Sample payload
Sample request
Sample Response
Destroy AppRole Secret ID Accessor
Destroy an AppRole secret ID by its accessor.
POST
/auth/approle/role/:role_name/secret-id-accessor/destroy
Parameters
role_name
(string: <required>)
- Name of the AppRole. Must be less than 4096 bytes.secret_id_accessor
(string: <required>)
- Secret ID accessor attached to the role.
Sample payload
Sample request
Create custom AppRole secret ID
Assigns a "custom" SecretID against an existing AppRole. This is used in the "Push" model of operation.
POST
/auth/approle/role/:role_name/custom-secret-id
Parameters
role_name
(string: <required>)
- Name of the AppRole. Must be less than 4096 bytes.secret_id
(string: <required>)
- SecretID to be attached to the Role.metadata
(string: "")
- Metadata to be tied to the SecretID. This should be a JSON-formatted string containing the metadata in key-value pairs. This metadata will be set on tokens issued with this SecretID, and is logged in audit logs in plaintext.cidr_list
(array: [])
- Comma separated string or list of CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. Ifsecret_id_bound_cidrs
is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.token_bound_cidrs
(array: [])
- Comma-separated string or list of CIDR blocks; if set, specifies blocks of IP addresses which can use the auth tokens generated by this SecretID. Overrides any role-set value but must be a subset.num_uses
(integer: 0)
- Number of times this SecretID can be used, after which the SecretID expires. A value of zero will allow unlimited uses. Overrides secret_id_num_uses role option when supplied. May not be higher than role's secret_id_num_uses.ttl
(string: "")
- Duration in seconds (3600
) or an integer time unit (60m
) after which this SecretID expires. A value of zero will allow the SecretID to not expire. Overrides secret_id_ttl role option when supplied. May not be longer than role's secret_id_ttl.
Sample payload
Sample request
Sample response
Login with AppRole
Issues a Vault token based on the presented credentials. role_id
is always required; if bind_secret_id
is enabled (the default) on the AppRole, secret_id
is required too. Any other bound authentication values on the AppRole (such as client IP CIDR) are also evaluated.
POST
/auth/approle/login
Parameters
role_id
(string: <required>)
- RoleID of the AppRole.secret_id
(string: <required>)
- SecretID belonging to AppRole.
Sample payload
Sample request
Sample response
Read, update, or delete AppRole properties
Updates the respective property in the existing AppRole. All of these parameters of the AppRole can be updated using the /auth/approle/role/:role_name
endpoint directly. The endpoints for each field is provided separately to be able to delegate specific endpoints using Vault's ACL system.
GET/POST/DELETE
/auth/approle/role/:role_name/policies
200/204
GET/POST/DELETE
/auth/approle/role/:role_name/secret-id-num-uses
200/204
GET/POST/DELETE
/auth/approle/role/:role_name/secret-id-ttl
200/204
GET/POST/DELETE
/auth/approle/role/:role_name/token-ttl
200/204
GET/POST/DELETE
/auth/approle/role/:role_name/token-max-ttl
200/204
GET/POST/DELETE
/auth/approle/role/:role_name/bind-secret-id
200/204
GET/POST/DELETE
/auth/approle/role/:role_name/secret-id-bound-cidrs
200/204
GET/POST/DELETE
/auth/approle/role/:role_name/token-bound-cidrs
200/204
GET/POST/DELETE
/auth/approle/role/:role_name/period
200/204
Refer to /auth/approle/role/:role_name
endpoint.
Tidy tokens
Performs some maintenance tasks to clean up invalid entries that may remain in the token store. Generally, running this is not needed unless upgrade notes or support personnel suggest it. This may perform a lot of I/O to the storage method so should be used sparingly.
POST
/auth/approle/tidy/secret-id
Sample request
Sample response
Last updated