export VAULT_ADDR='http://127.0.0.1:8200'
Enable approle
auth method
vault auth enable approle
Create db-pol
policy via UI (http://localhost:8200/ui/vault/policies/acl)
path "kv/db" {
capabilities = ["read"]
}
Create role depends on yours requirements:
Create alex-app
role with secret and default
policy attached
vault write auth/approle/role/alex-app \
secret_id_ttl=10m \
token_num_uses=10 \
token_ttl=20m \
token_max_ttl=30m \
secret_id_num_uses=40
Or create a role named alex-app
with db-pol
policy attached only and WITOUT REQUIRING secret_id
vault write auth/approle/role/alex-app \
token_policies="db-pol" \
token_ttl=20m \
token_max_ttl=30m \
bind_secret_id=false\
secret_id_bound_cidrs=127.0.0.1/24
Read alex-app
role id
vault read auth/approle/role/alex-app/role-id
Read alex-app
secret id
vault write -f auth/approle/role/alex-app/secret-id
Login, use the auth/approle/login
endpoint by passing the role
vault write auth/approle/login role_id="038d7423-dd97-3216-8123-7d976bb227bb"
Login, use the auth/approle/login
endpoint by passing the role ID and secret ID
vault write auth/approle/login role_id="038d7423-dd97-3216-8123-7d976bb227bb" \
secret_id="81eafedf-4005-991e-3e78-4df3aa8e0824"