Vault
HomeDocumentationTutorialsTry Cloud!
  • Vault
  • Documentation
    • What is Vault?
    • Use Cases
    • Setup
      • Install
      • Configuration
    • Get Started
      • Starting the server
      • Your first secret
      • Deploying Vault on VMs with Let's encrypt! TLS certs
    • Concepts
      • Operations
        • Seal/Unseal
        • "Dev" server mode
        • Namespace lock and unlock
        • Lease, renew, and revoke
        • Lease Explosions
        • Mount migration
        • Client count
        • Resource quotas
        • Response wrapping
      • Authentication
        • Identity
        • Tokens
        • OIDC provider
        • Username templating
        • Passwordless
      • Secrets
      • Storage
        • Integrated storage
        • High availability mode (HA)
        • Recovery mode
      • Policies
  • Tutorials
    • CLI
      • Operations
        • Deploy Vault
        • Using the HTTP API
        • Unseal/Seal
      • Authentication
        • Token
        • GitHub authentication
        • Username/Password
        • TLS Client Certificates
        • SSH Keys
        • AWS, Azure, GCP and external auth methods
          • Azure
          • AWS
          • GCP
          • Github
          • Terraform
      • Secrets
        • Secrets engines
        • Built-in help
      • Access Control
        • Policies
    • UI
      • Authentication
        • Username/Password
        • Passwordless
      • Operations
        • Unseal / Seal
        • API Explorer
      • Secrets
        • Secrets engines
      • Access Control
        • Policies
    • Use Cases
      • Namespaces
      • MongoDB admin password
      • VM Disk Encryption Keys
      • VM SSH Keys
      • Kubernetes Configuration
      • GitHub Actions
      • Dynamic credentials for cloud providers
        • AWS
        • Azure
        • GCP
  • CLI
    • agent
    • audit
    • auth
    • debug
    • delete
    • events
    • kv
    • lease
    • license
    • list
    • login
    • monitor
    • namespace
    • operator
    • patch
    • path-help
    • pki
    • plugin
    • policy
    • print
    • proxy
    • read
    • secrets
    • server
    • ssh
    • status
    • token
    • transit
    • unwrap
    • version
    • version-history
    • write
  • API
    • Secrets engines
      • AliCloud secrets engine (API)
      • AWS secrets engine (API)
      • Azure secrets engine (API)
      • Cubbyhole secrets engine (API)
      • Database
        • Cassandra database plugin HTTP API
        • Elasticsearch database plugin HTTP API
        • Influxdb database plugin HTTP API
        • MongoDB database plugin HTTP API
        • MSSQL database plugin HTTP API
        • MySQL/MariaDB database plugin HTTP API
        • Oracle database plugin HTTP API
        • PostgreSQL database plugin HTTP API
        • Redis database plugin HTTP API
        • Redis ElastiCache database plugin HTTP API
        • Redshift database plugin HTTP API
        • Snowflake database plugin HTTP API
      • Google Cloud secrets engine (API)
      • Google Cloud KMS secrets engine (API)
      • Identity
        • entity
        • entity-alias
        • group
        • group-alias
        • tokens
        • lookup
        • oidc-provider
        • MFA
          • duo
          • okta
          • pingid
          • totp
          • login-enforcement
      • KV secrets engine (API)
      • Buckypaper secrets engine
      • Kubernetes secrets engine (API)
      • Nomad secrets engine (API)
      • LDAP secrets engine (API)
      • PKI secrets engine (API)
      • RabbitMQ secrets engine (API)
      • SSH secrets engine (API)
      • TOTP secrets engine (API)
      • Transit secrets engine (API)
    • Auth engines
      • AliCloud auth method (API)
      • AppRole auth method (API)
      • AWS auth method (API)
      • Azure auth method (API)
      • Pivotal Cloud Foundry (CF) auth method (API)
      • GitHub auth method (API)
      • Google Cloud auth method (API)
      • JWT/OIDC auth method (API)
      • Kerberos auth method (API)
      • Kubernetes auth method (API)
      • LDAP auth method (API)
      • OCI auth method (API)
      • Okta auth method (API)
      • Passwordless auth method (API)
      • RADIUS auth method (API)
      • TLS certificate auth method (API)
      • Token auth method (API)
      • Userpass auth method (HTTP API)
    • Service engines
      • Licence Manager
    • System backend
      • /sys/audit
      • /sys/audit-hash
      • /sys/auth
      • /sys/capabilities
      • /sys/capabilities-accessor
      • /sys/capabilities-self
      • /sys/config/auditing/request-headers
      • /sys/config/control-group
      • /sys/config/cors
      • /sys/config/reload
      • /sys/config/state
      • /sys/config/ui
      • /sys/decode-token
      • /sys/experiments
      • /sys/generate-recovery-token
      • /sys/generate-root
      • /sys/health
      • /sys/host-info
      • /sys/in-flight-req
      • /sys/init
      • /sys/internal/counters
      • /sys/internal/inspect
        • /sys/internal/inspect/router
      • /sys/internal/specs/openapi
      • /sys/internal/ui/feature-flags
      • /sys/internal/ui/mounts
      • /sys/internal/ui/namespaces
      • /sys/internal/ui/resultant-acl
      • /sys/key-status
      • /sys/ha-status
      • /sys/leader
      • /sys/leases
      • /sys/license/status
      • /sys/locked-users
      • /sys/loggers
      • /sys/metrics
      • /sys/monitor
      • /sys/mounts
      • /sys/namespaces
      • /sys/plugins/reload/backend
      • /sys/plugins/catalog
      • /sys/plugins/runtimes/catalog
      • /sys/policy
      • /sys/policies/
      • /sys/policies/password/
      • /sys/pprof
      • /sys/quotas/config
      • /sys/quotas/rate-limit
      • /sys/quotas/lease-count
      • /sys/raw
      • /sys/rekey
      • /sys/rekey-recovery-key
      • /sys/remount
      • /sys/rotate
      • /sys/rotate/config
      • /sys/seal
      • /sys/seal-status
      • /sys/seal-backend-status
      • /sys/step-down
      • /sys/storage
        • /sys/storage/raft
        • /sys/storage/raft/autopilot
      • /sys/tools
      • /sys/unseal
      • /sys/version-history
      • /sys/wrapping/lookup
      • /sys/wrapping/rewrap
      • /sys/wrapping/unwrap
      • /sys/wrapping/wrap
  • Resources
    • Blog
    • GitHub
    • Youtube
    • CCx101
Powered by GitBook
On this page

Last updated 9 months ago

This tutorial describes the set up of the custom auth plugin and is subject to change after the custom UI branch is merged into the main branch.

The Dockerfile placed in the repository can be used to create an image with a ready to use Vault system, including the passkey plugin. If desired, the Dockerfile can be changed to run Vault in development mode, using the comments.

To build the image, a GitHub token with access to enclaive's repositories has to be provided:

After successfull build the container can be started and Vault will start in production mode. The config.hcl, full-chain.pem and private-key.pem of this repository will be placed at /cfg in the image. The certificates are self signed for localhost. The following command will bind a customized config and certificates.

After creation we can access the defined URL and unseal Vault. Remember to store the root token and unseal key/s.

After unsealing Vault, we will connect with another terminal into the container and register the plugin. We need to set the environment variables and generate the hash.

Inside the container: (-tls-skip-verify is used to ignore TLS verification)

Now the UI can be used to mount the plugin. After mounting the accessor ID needs to be retrieved to create a policy.

Now a user can be created and the invite link can be used to register.

Example Policy:

The example policy in this repository needs to be adjusted with the correct accessor ID and mount path. After creating the policy, the relying party has to be set up to the correct values (RP ID: domain without scheme, Origin: FQDN with scheme) For example RPID: localhost, origin:

        #allow passkey users to read their own account
        path "auth/<MOUNTPATH>/users/{{identity.entity.aliases.<ACCESSOR_ID>.name}}" {
          capabilities = [ "read" ]
        }
        
        #allow passkey users to rename and delete their credentials
        path "auth/<MOUNTPATH>/users/ {{identity.entity.aliases.<ACCESSOR_ID>.name}}/credentials" {
          capabilities = [ "update" ]
        }
        
        #allow passkey users to rename and delete their credentials
        path "auth/<MOUNTPATH>/users/ {{identity.entity.aliases.<ACCESSOR_ID>.name}}/credentials/*" {
          capabilities = [ "update", "delete" ]
        }
        
        #allow the creation of a new passkey account at mount starting with passkey - important for users coming from a different auth method
        path "auth/<MOUNTPATH>/create" {
          capabilities = [ "update" ]
        }
  1. Tutorials
  2. UI
  3. Authentication

Passwordless

PreviousUsername/PasswordNextOperations
https://localhost:8200
docker build -t example/vault --build-arg git_personal_token=<token> .
docker run --rm -it -v /home/ubuntu/vconfig/:/cfg -p 8200:8200 example/vault
docker exec -it <containername> bash
root@cb1547cd5f46:/# export VAULT_ADDR='https://vault-passkeys.com:8200'
root@cb1547cd5f46:/# export VAULT_TOKEN=hvs.vcNVy3sKtvny0hlsvm73Coy6
root@cb1547cd5f46:/# SHA256=$(sha256sum /plugins/passkey | cut -d ' ' -f1)
root@cb1547cd5f46:/# vault/vault plugin register -tls-skip-verify -sha256=$SHA256 auth passkey
Success! Registered plugin: passkey
vault_plugin_auth_passkeys