Using the HTTP API
All of Vault's capabilities are accessible via the HTTP API in addition to the CLI. In fact, most calls from the CLI actually invoke the HTTP API. In some cases, Vault features are not available via the CLI and can only be accessed via the HTTP API.
Accessing Secrets via the REST APIs
Machines that need access to information stored in Vault will most likely access Vault via its REST API. For example, if a machine were using AppRole for authentication, the application would first authenticate to Vault which would return a Vault API token. The application would use that token for future communication with Vault.
Warning
Press Ctrl+C to terminate the dev server that is running at http://127.0.0.1:8200
before proceeding.
For the purpose of this tutorial, you will use the following configuration which disables TLS and uses a file-based backend. TLS is disabled here only for example purposes; it should never be disabled in production.
Create a server configuration file, config.hcl
.
Start a new Vault instance using the newly created configuration.
At this point, you can use Vault's HTTP API for all your interactions.
Launch a new terminal session, and use curl
to initialize Vault with the API.
Note
This example uses jq to process the JSON output for readability.
The response should be JSON and looks something like this:
This response contains your initial root token. It also includes the unseal key. You can use the unseal key to unseal the Vault and use the root token perform other requests in Vault that require authentication.
To make this tutorial easy to copy-and-paste, you will be using the environment variable $VAULT_TOKEN
to store the root token.
Example:
Using the unseal key (not the root token) from above, you can unseal the Vault via the HTTP API.
Example:
Note that you should replace /ye2PeRrd/qru...
with the generated key from your output. This will return a JSON response:
You can invoke the Vault API to validate the initialization status.
This returns a JSON response.
Now any of the available auth methods can be enabled and configured. For the purposes of this tutorial lets enable AppRole authentication.
The Authentication tutorial showed how to enable the GitHub auth method using Vault CLI.
To see the cURL equivalent of the CLI command to enable AppRole auth method, use the -output-curl-string
flag.
Enable the AppRole auth method by invoking the Vault API.
Notice that the request to enable the AppRole endpoint needed an authentication token. In this case you are passing the root token generated when you started the Vault server. You could also generate tokens using any other authentication mechanisms, but you will use the root token for simplicity.
Now create an AppRole with desired set of ACL policies.
The Policies tutorial used CLI to create my-policy
. In this tutorial, use the /sys/policies/acl
endpoint to create the same policy via Vault API.
Since my-policy
expects secret/data
path to exist, enable KV v2 secrets engine at secret/
using API.
The following command specifies that the tokens issued under the AppRole my-role
should be associated with my-policy
.
The AppRole auth method expects a RoleID and a SecretID as its input. The RoleID is similar to a username and the SecretID can be thought as the RoleID's password.
The following command fetches the RoleID of the role named my-role
.
The response will include the role_id
:
This command creates a new SecretID under the my-role
.
The response will include the secret_id
:
These two credentials can be supplied to the login endpoint to fetch a new Vault token.
The response will be JSON, under the key auth
:
The returned client token (s.p5NB4dTlsPiUU94RA5IfbzXv
) can be used to authenticate with Vault. This token will be authorized with specific capabilities on all the resources encompassed by the default
and my-policy
policies. (As it was mentioned in the Policies tutorial, the default
policy is attached to all tokens by default. )
The newly acquired token can be exported as the VAULT_TOKEN
environment variable value and used to authenticate subsequent Vault requests.
Create a version 1 of secret named creds
with a key password
and its value set to my-long-password
.
Example output:
Clean up
You can stop the server and unset the VAULT_TOKEN
environment variable.
Avoid reusing settings from this lab and delete the vault-data
folder.
Help and reference
You can see the documentation on the HTTP APIs for more details on other available endpoints.
Congratulations! You now know all the basics needed to get started with Vault.
Last updated