Class: Vault::Authenticate

Inherits:
Request
  • Object
show all
Defined in:
lib/vault/api/auth.rb

Instance Attribute Summary

Attributes inherited from Request

#client

Instance Method Summary collapse

Methods inherited from Request

#initialize, #inspect, #to_s

Methods included from EncodePath

encode_path

Constructor Details

This class inherits a constructor from Vault::Request

Instance Method Details

#app_id(app_id, user_id, options = {}) ⇒ Secret

Authenticate via the “app-id” authentication method. If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Vault.auth.app_id(
  "aeece56e-3f9b-40c3-8f85-781d3e9a8f68",
  "3b87be76-95cf-493a-a61b-7d5fc70870ad",
) #=> #<Vault::Secret lease_id="">

with a custom mount point

Vault.auth.app_id(
  "aeece56e-3f9b-40c3-8f85-781d3e9a8f68",
  "3b87be76-95cf-493a-a61b-7d5fc70870ad",
  mount: "new-app-id",
)

Parameters:

  • app_id (String)
  • user_id (String)
  • options (Hash) (defaults to: {})

    additional options to pass to the authentication call, such as a custom mount point

Returns:



72
73
74
75
76
77
78
 
# File 'lib/vault/api/auth.rb', line 72

def app_id(app_id, user_id, options = {})
  payload = { app_id: app_id, user_id: user_id }.merge(options)
  json = client.post("/v1/auth/app-id/login", JSON.generate(payload))
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end

#approle(role_id, secret_id = nil, options = {}) ⇒ Secret

Authenticate via the “approle” authentication method. If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Default mount point

Vault.auth.approle(
  "db02de05-fa39-4855-059b-67221c5c2f63",
  "6a174c20-f6de-a53c-74d2-6018fcceff64",
) #=> #<Vault::Secret lease_id="">

Custom mount point

Vault.auth.approle(
  "db02de05-fa39-4855-059b-67221c5c2f63",
  "6a174c20-f6de-a53c-74d2-6018fcceff64",
  mount: "my-approle"
) #=> #<Vault::Secret lease_id="">

Parameters:

  • role_id (String)
  • secret_id (String) (defaults to: nil)

    (default: nil) It is required when bind_secret_id is enabled for the specified role_id

  • options (Hash) (defaults to: {})

Options Hash (options):

  • :mount (String) — default: default: "approle"

    The path where the approle auth backend is mounted

Returns:



105
106
107
108
109
110
111
112
113
 
# File 'lib/vault/api/auth.rb', line 105

def approle(role_id, secret_id=nil, options = {})
  mount = options[:mount] || 'approle'
  payload = { role_id: role_id }
  payload[:secret_id] = secret_id if secret_id
  json = client.post("/v1/auth/#{CGI.escape(mount)}/login", JSON.generate(payload))
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end

#aws_ec2(role, pkcs7, nonce = nil, route = nil) ⇒ Secret

Authenticate via the AWS EC2 authentication method. If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Vault.auth.aws_ec2("read-only", "pkcs7", "vault-nonce") #=> #<Vault::Secret lease_id="">

Parameters:

  • role (String)
  • pkcs7 (String)

    pkcs7 returned by the instance identity document (with line breaks removed)

  • nonce (String) (defaults to: nil)

    optional

  • route (String) (defaults to: nil)

    optional

Returns:



194
195
196
197
198
199
200
201
202
203
 
# File 'lib/vault/api/auth.rb', line 194

def aws_ec2(role, pkcs7, nonce = nil, route = nil)
  route ||= '/v1/auth/aws-ec2/login'
  payload = { role: role, pkcs7: pkcs7 }
  # Set a custom nonce if client is providing one
  payload[:nonce] = nonce if nonce
  json = client.post(route, JSON.generate(payload))
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end

#aws_iam(role, credentials_provider, iam_auth_header_value = nil, sts_endpoint = 'https://sts.amazonaws.com', route = nil) ⇒ Secret

Authenticate via AWS IAM auth method by providing a AWS CredentialProvider (either ECS, AssumeRole, etc.) If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Vault.auth.aws_iam("dev-role-iam", Aws::InstanceProfileCredentials.new, "vault.example.com", "https://sts.us-east-2.amazonaws.com") #=> #<Vault::Secret lease_id="">

Parameters:

Returns:



222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
 
# File 'lib/vault/api/auth.rb', line 222

def aws_iam(role, credentials_provider, iam_auth_header_value = nil, sts_endpoint = 'https://sts.amazonaws.com', route = nil)
  require "aws-sigv4"
  require "base64"

  request_body   = 'Action=GetCallerIdentity&Version=2011-06-15'
  request_method = 'POST'

  route ||= '/v1/auth/aws/login'

  vault_headers = {
    'User-Agent' => Vault::Client::USER_AGENT,
    'Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8'
  }

  vault_headers['X-Vault-AWS-IAM-Server-ID'] = iam_auth_header_value if iam_auth_header_value

  sig4_headers = Aws::Sigv4::Signer.new(
    service: 'sts',
    region: region_from_sts_endpoint(sts_endpoint),
    credentials_provider: credentials_provider
  ).sign_request(
    http_method: request_method,
    url: sts_endpoint,
    headers: vault_headers,
    body: request_body
  ).headers

  payload = {
    role: role,
    iam_http_request_method: request_method,
    iam_request_url: Base64.strict_encode64(sts_endpoint),
    iam_request_headers: Base64.strict_encode64(vault_headers.merge(sig4_headers).to_json),
    iam_request_body: Base64.strict_encode64(request_body)
  }

  json = client.post(route, JSON.generate(payload))
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end

#gcp(role, jwt, path = 'gcp') ⇒ Secret

Authenticate via the GCP authentication method. If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Vault.auth.gcp("read-only", "jwt", "gcp") #=> #<Vault::Secret lease_id="">

Parameters:

  • role (String)
  • jwt (String)

    jwt returned by the instance identity metadata, or iam api

  • path (String) (defaults to: 'gcp')

    optional the path were the gcp auth backend is mounted

Returns:



277
278
279
280
281
282
283
 
# File 'lib/vault/api/auth.rb', line 277

def gcp(role, jwt, path = 'gcp')
  payload = { role: role, jwt: jwt }
  json = client.post("/v1/auth/#{CGI.escape(path)}/login", JSON.generate(payload))
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end

#github(github_token, path = "/v1/auth/github/login") ⇒ Secret

Authenticate via the GitHub authentication method. If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Vault.auth.github("mypersonalgithubtoken") #=> #<Vault::Secret lease_id="">

Parameters:

  • github_token (String)

Returns:



172
173
174
175
176
177
178
 
# File 'lib/vault/api/auth.rb', line 172

def github(github_token, path="/v1/auth/github/login")
  payload = {token: github_token}
  json = client.post(path, JSON.generate(payload))
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end

#ldap(username, password, options = {}) ⇒ Secret

Authenticate via the “ldap” authentication method. If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Vault.auth.ldap("sethvargo", "s3kr3t") #=> #<Vault::Secret lease_id="">

Parameters:

  • username (String)
  • password (String)
  • options (Hash) (defaults to: {})

    additional options to pass to the authentication call, such as a custom mount point

Returns:



154
155
156
157
158
159
160
 
# File 'lib/vault/api/auth.rb', line 154

def ldap(username, password, options = {})
  payload = { password: password }.merge(options)
  json = client.post("/v1/auth/ldap/login/#{encode_path(username)}", JSON.generate(payload))
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end

#tls(pem = nil, path = 'cert', name: nil) ⇒ Secret

Authenticate via a TLS authentication method. If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Sending raw pem contents

Vault.auth.tls(pem_contents) #=> #<Vault::Secret lease_id="">

Reading a pem from disk

Vault.auth.tls(File.read("/path/to/my/certificate.pem")) #=> #<Vault::Secret lease_id="">

Sending to a cert authentication backend mounted at a custom location

Vault.auth.tls(pem_contents, 'custom/location') #=> #<Vault::Secret lease_id="">

Parameters:

  • pem (String) (defaults to: nil)

    (default: the configured SSL pem file or contents) The raw pem contents to use for the login procedure.

  • path (String) (defaults to: 'cert')

    (default: ‘cert’) The path to the auth backend to use for the login procedure.

  • name (String) (defaults to: nil)

    optional The named certificate role provided to the login request.

Returns:



308
309
310
311
312
313
314
315
316
317
318
 
# File 'lib/vault/api/auth.rb', line 308

def tls(pem = nil, path = 'cert', name: nil)
  new_client = client.dup
  new_client.ssl_pem_contents = pem if !pem.nil?

  opts = {}
  opts[:name] = name if name
  json = new_client.post("/v1/auth/#{CGI.escape(path)}/login", opts)
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end

#token(new_token) ⇒ Secret

Authenticate via the “token” authentication method. This authentication method is a bit bizarre because you already have a token, but hey, whatever floats your boat.

This method hits the /v1/auth/token/lookup-self endpoint after setting the Vault client’s token to the given token parameter. If the self lookup succeeds, the token is persisted onto the client for future requests. If the lookup fails, the old token (which could be unset) is restored on the client.

Examples:

Vault.auth.token("6440e1bd-ba22-716a-887d-e133944d22bd") #=> #<Vault::Secret lease_id="">
Vault.token #=> "6440e1bd-ba22-716a-887d-e133944d22bd"

Parameters:

  • new_token (String)

    the new token to try to authenticate and store on the client

Returns:



37
38
39
40
41
42
43
44
45
46
 
# File 'lib/vault/api/auth.rb', line 37

def token(new_token)
  old_token    = client.token
  client.token = new_token
  json = client.get("/v1/auth/token/lookup-self")
  secret = Secret.decode(json)
  return secret
rescue
  client.token = old_token
  raise
end

#userpass(username, password, options = {}) ⇒ Secret

Authenticate via the “userpass” authentication method. If authentication is successful, the resulting token will be stored on the client and used for future requests.

Examples:

Vault.auth.userpass("sethvargo", "s3kr3t") #=> #<Vault::Secret lease_id="">

with a custom mount point

Vault.auth.userpass("sethvargo", "s3kr3t", mount: "admin-login") #=> #<Vault::Secret lease_id="">

Parameters:

  • username (String)
  • password (String)
  • options (Hash) (defaults to: {})

    additional options to pass to the authentication call, such as a custom mount point

Returns:



132
133
134
135
136
137
138
 
# File 'lib/vault/api/auth.rb', line 132

def userpass(username, password, options = {})
  payload = { password: password }.merge(options)
  json = client.post("/v1/auth/userpass/login/#{encode_path(username)}", JSON.generate(payload))
  secret = Secret.decode(json)
  client.token = secret.auth.client_token
  return secret
end