💡 Pro Tip: Each authentication method serves different use cases. LDAP for enterprise directory integration, Userpass for simple user management, Certificates for automated systems, and Tokens for programmatic access.
LDAP Authentication Configuration
LDAP authentication allows HashiCorp Vault to integrate with your existing Active Directory or LDAP infrastructure. This method is ideal for enterprise environments where user authentication should be centralized.
Configure LDAP Authentication
The following command configures LDAP to connect to your domain controller and establish the search parameters:
vault write auth/ldap/config \
url="ldap://mydomaincontroller.mydomain.com:389" \
userattr=sAMAccountName \
userdn="dc=mydomain,dc=com" \
groupdn="dc=mydomain,dc=com" \
groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
groupattr="cn" \
upndomain="mydomain.com" \
insecure_tls=false
Map LDAP Groups to Vault Policies
After configuring LDAP authentication, map your Active Directory groups to Vault policies:
vault write auth/ldap/groups/myvaultadgroup policies=myvaultpolicy
Userpass Authentication Management
Userpass authentication provides a simple username and password authentication method for HashiCorp Vault. This approach is perfect for smaller environments or when integrating with external identity providers isn’t feasible.
Create a New User
vault write auth/userpass/users/myusername password=mypassword policies=admins
Delete a User
vault delete auth/userpass/users/username
Change User Password
vault write auth/userpass/users/myusername password=mypassword
Create User with Random Password
For enhanced security, create users with randomly generated passwords and store them securely:
mypass="$(openssl rand -base64 16)"
echo -n $mypass | vault write secret/test password=-
vault write auth/userpass/users/test.user password=$mypass policies=admins
vault read -wrap-ttl=15m secret/test
mypass=""
Login with Userpass Authentication
Direct login with credentials:
vault auth -method=userpass username=myusername password=mypassword
Interactive login (prompts for password):
vault auth -method=userpass username=myusername
Certificate-Based Authentication
Certificate authentication provides a secure, automated way for systems and applications to authenticate with Vault using PEM certificates. This method is ideal for machine-to-machine authentication.
⚠️ Important: Certificate authentication does not work with the built-in version of cURL on macOS. Use an alternative HTTP client or updated cURL version.
Create Authentication Certificate
Follow these steps to create a certificate for Vault authentication:
- Create a folder to store certificate files
- Create a cert.conf file with your certificate details
- Modify cert.conf to fill in all fields under the [dn] section
Generate the certificate and key files:
openssl req -config cert.conf -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
openssl rsa -in key.pem -out key.insecure.pem
Configure Vault for Certificate Authentication
Register your certificate with Vault (replace placeholder values with actual certificate details):
vault write auth/cert/certs/your.name \
display_name="Your Name" \
policies=policyname \
[email protected] \
ttl=3600
Authenticate Using Certificate
vault auth -method=cert -client-cert=cert.pem -client-key=key.pem
Token Authentication
Token authentication is the core authentication method in HashiCorp Vault. All other authentication methods eventually issue a token for accessing Vault’s API. Tokens can be used directly for programmatic access.
Direct Token Authentication
Authenticate with a known token:
vault auth <token>
Interactive token prompt:
vault auth
For comprehensive token management strategies, see our detailed guide on Managing HashiCorp Vault Tokens.