Class: Vault::Authenticate

Inherits:
Request
  • Object
show all
Defined in:
lib/vault/api/auth.rb

Instance Attribute Summary

Attributes inherited from Request

#client

Instance Method Summary collapse

Methods inherited from Request

#initialize, #inspect, #to_s

Methods included from EncodePath

encode_path

Constructor Details

This class inherits a constructor from Vault::Request

Instance Method Details

#app_id(app_id, user_id, options = {}) ⇒ Secret

Authenticate via the “app-id” authentication method. If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Vault.auth.app_id(
  "aeece56e-3f9b-40c3-8f85-781d3e9a8f68",
  "3b87be76-95cf-493a-a61b-7d5fc70870ad",
) #=> #<Vault::Secret lease_id="">

with a custom mount point

Vault.auth.app_id(
  "aeece56e-3f9b-40c3-8f85-781d3e9a8f68",
  "3b87be76-95cf-493a-a61b-7d5fc70870ad",
  mount: "new-app-id",
)

Parameters:

  • app_id (String)
  • user_id (String)
  • options (Hash) (defaults to: {})

    additional options to pass to the authentication call, such as a custom mount point

Returns:



69
70
71
72
73
74
75
 
# File 'lib/vault/api/auth.rb', line 69

def app_id(app_id, user_id, options = {})
  payload = { app_id: app_id, user_id: user_id }.merge(options)
  json = client.post("/v1/auth/app-id/login", JSON.fast_generate(payload))
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end

#approle(role_id, secret_id = nil) ⇒ Secret

Authenticate via the “approle” authentication method. If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Vault.auth.approle(
  "db02de05-fa39-4855-059b-67221c5c2f63",
  "6a174c20-f6de-a53c-74d2-6018fcceff64",
) #=> #<Vault::Secret lease_id="">

Parameters:

  • role_id (String)
  • secret_id (String) (defaults to: nil)

    (default: nil) It is required when ‘bind_secret_id` is enabled for the specified role_id

Returns:



92
93
94
95
96
97
98
99
 
# File 'lib/vault/api/auth.rb', line 92

def approle(role_id, secret_id=nil)
  payload = { role_id: role_id }
  payload[:secret_id] = secret_id if secret_id
  json = client.post("/v1/auth/approle/login", JSON.fast_generate(payload))
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end

#aws_ec2(role, pkcs7, nonce) ⇒ Secret

Authenticate via the AWS EC2 authentication method. If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Vault.auth.aws_ec2("read-only", "pkcs7", "vault-nonce") #=> #<Vault::Secret lease_id="">

Parameters:

  • role (String)
  • pkcs7 (String)

    pkcs7 returned by the instance identity document (with line breaks removed)

  • nonce (String)

Returns:



179
180
181
182
183
184
185
 
# File 'lib/vault/api/auth.rb', line 179

def aws_ec2(role, pkcs7, nonce)
  payload = { role: role, pkcs7: pkcs7, nonce: nonce }
  json = client.post('/v1/auth/aws-ec2/login', JSON.fast_generate(payload))
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end

#github(github_token) ⇒ Secret

Authenticate via the GitHub authentication method. If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Vault.auth.github("mypersonalgithubtoken") #=> #<Vault::Secret lease_id="">

Parameters:

  • github_token (String)

Returns:



158
159
160
161
162
163
164
 
# File 'lib/vault/api/auth.rb', line 158

def github(github_token)
  payload = {token: github_token}
  json = client.post("/v1/auth/github/login", JSON.fast_generate(payload))
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end

#ldap(username, password, options = {}) ⇒ Secret

Authenticate via the “ldap” authentication method. If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Vault.auth.ldap("sethvargo", "s3kr3t") #=> #<Vault::Secret lease_id="">

Parameters:

  • username (String)
  • password (String)
  • options (Hash) (defaults to: {})

    additional options to pass to the authentication call, such as a custom mount point

Returns:



140
141
142
143
144
145
146
 
# File 'lib/vault/api/auth.rb', line 140

def ldap(username, password, options = {})
  payload = { password: password }.merge(options)
  json = client.post("/v1/auth/ldap/login/#{encode_path(username)}", JSON.fast_generate(payload))
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end

#tls(pem = nil) ⇒ Secret

Authenticate via a TLS authentication method. If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Sending raw pem contents

Vault.auth.tls(pem_contents) #=> #<Vault::Secret lease_id="">

Reading a pem from disk

Vault.auth.tls(File.read("/path/to/my/certificate.pem")) #=> #<Vault::Secret lease_id="">

Parameters:

  • pem (String) (defaults to: nil)

    (default: the configured SSL pem file or contents) The raw pem contents to use for the login procedure.

Returns:



201
202
203
204
205
206
207
208
209
 
# File 'lib/vault/api/auth.rb', line 201

def tls(pem = nil)
  new_client = client.dup
  new_client.ssl_pem_contents = pem if !pem.nil?

  json = new_client.post("/v1/auth/cert/login")
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end

#token(new_token) ⇒ Secret

Authenticate via the “token” authentication method. This authentication method is a bit bizarre because you already have a token, but hey, whatever floats your boat.

This method hits the ‘/v1/auth/token/lookup-self` endpoint after setting the Vault client’s token to the given token parameter. If the self lookup succeeds, the token is persisted onto the client for future requests. If the lookup fails, the old token (which could be unset) is restored on the client.

Examples:

Vault.auth.token("6440e1bd-ba22-716a-887d-e133944d22bd") #=> #<Vault::Secret lease_id="">
Vault.token #=> "6440e1bd-ba22-716a-887d-e133944d22bd"

Parameters:

  • new_token (String)

    the new token to try to authenticate and store on the client

Returns:



34
35
36
37
38
39
40
41
42
43
 
# File 'lib/vault/api/auth.rb', line 34

def token(new_token)
  old_token    = client.token
  client.token = new_token
  json = client.get("/v1/auth/token/lookup-self")
  secret = Secret.decode(json)
  return secret
rescue
  client.token = old_token
  raise
end

#userpass(username, password, options = {}) ⇒ Secret

Authenticate via the “userpass” authentication method. If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Vault.auth.userpass("sethvargo", "s3kr3t") #=> #<Vault::Secret lease_id="">

with a custom mount point

Vault.auth.userpass("sethvargo", "s3kr3t", mount: "admin-login") #=> #<Vault::Secret lease_id="">

Parameters:

  • username (String)
  • password (String)
  • options (Hash) (defaults to: {})

    additional options to pass to the authentication call, such as a custom mount point

Returns:



118
119
120
121
122
123
124
 
# File 'lib/vault/api/auth.rb', line 118

def userpass(username, password, options = {})
  payload = { password: password }.merge(options)
  json = client.post("/v1/auth/userpass/login/#{encode_path(username)}", JSON.fast_generate(payload))
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end