Home/Blog/HashiCorp Vault Authentication Configuration Guide
Secrets Management

HashiCorp Vault Authentication Configuration Guide

Master LDAP, Userpass, Certificate, and Token authentication methods for enterprise security

HashiCorp Vault Authentication Configuration Guide

HashiCorp Vault offers multiple authentication methods to secure your secrets management infrastructure. This comprehensive guide covers the four most commonly used authentication methods: LDAP integration, Userpass authentication, Certificate-based authentication, and Token authentication.

šŸ’” Pro Tip: Each authentication method serves different use cases. LDAP for enterprise directory integration, Userpass for simple user management, Certificates for automated systems, and Tokens for programmatic access.

LDAP Authentication Configuration

LDAP authentication allows HashiCorp Vault to integrate with your existing Active Directory or LDAP infrastructure. This method is ideal for enterprise environments where user authentication should be centralized.

Configure LDAP Authentication

The following command configures LDAP to connect to your domain controller and establish the search parameters:

vault write auth/ldap/config \
  url="ldap://mydomaincontroller.mydomain.com:389" \
  userattr=sAMAccountName \
  userdn="dc=mydomain,dc=com" \
  groupdn="dc=mydomain,dc=com" \
  groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
  groupattr="cn" \
  upndomain="mydomain.com" \
  insecure_tls=false

Map LDAP Groups to Vault Policies

After configuring LDAP authentication, map your Active Directory groups to Vault policies:

vault write auth/ldap/groups/myvaultadgroup policies=myvaultpolicy

Userpass Authentication Management

Userpass authentication provides a simple username and password authentication method for HashiCorp Vault. This approach is perfect for smaller environments or when integrating with external identity providers isn’t feasible.

Create a New User

vault write auth/userpass/users/myusername password=mypassword policies=admins

Delete a User

vault delete auth/userpass/users/username

Change User Password

vault write auth/userpass/users/myusername password=mypassword

Create User with Random Password

For enhanced security, create users with randomly generated passwords and store them securely:

mypass="$(openssl rand -base64 16)"
echo -n $mypass | vault write secret/test password=-
vault write auth/userpass/users/test.user password=$mypass policies=admins
vault read -wrap-ttl=15m secret/test
mypass=""

Login with Userpass Authentication

Direct login with credentials:

vault auth -method=userpass username=myusername password=mypassword

Interactive login (prompts for password):

vault auth -method=userpass username=myusername

Certificate-Based Authentication

Certificate authentication provides a secure, automated way for systems and applications to authenticate with Vault using PEM certificates. This method is ideal for machine-to-machine authentication.

āš ļø Important: Certificate authentication does not work with the built-in version of cURL on macOS. Use an alternative HTTP client or updated cURL version.

Create Authentication Certificate

Follow these steps to create a certificate for Vault authentication:

  • Create a folder to store certificate files
  • Create a cert.conf file with your certificate details
  • Modify cert.conf to fill in all fields under the [dn] section

Generate the certificate and key files:

openssl req -config cert.conf -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
openssl rsa -in key.pem -out key.insecure.pem

Configure Vault for Certificate Authentication

Register your certificate with Vault (replace placeholder values with actual certificate details):

vault write auth/cert/certs/your.name \
  display_name="Your Name" \
  policies=policyname \
  [email protected] \
  ttl=3600

Authenticate Using Certificate

vault auth -method=cert -client-cert=cert.pem -client-key=key.pem

Token Authentication

Token authentication is the core authentication method in HashiCorp Vault. All other authentication methods eventually issue a token for accessing Vault’s API. Tokens can be used directly for programmatic access.

Direct Token Authentication

Authenticate with a known token:

vault auth <token>

Interactive token prompt:

vault auth

For comprehensive token management strategies, see our detailed guide on Managing HashiCorp Vault Tokens.

Frequently Asked Questions

Find answers to common questions

Vault makes sense when: (1) Managing 20+ secrets across multiple apps, (2) Multiple developers need secret access, (3) Compliance requires secret rotation (PCI-DSS, SOC 2), (4) Running microservices (each service needs different secrets). Environment variables work until: (1) Secrets change (requires redeploying apps), (2) Multiple people need access (leads to secrets in Slack/email), (3) Audit trail needed (who accessed what when). Vault costs: self-hosted free (4-8 hours setup + 2-4 hours/month maintenance) or Vault Cloud ($0.30-0.50/hour = $216-360/month). Breakpoint: 3+ apps, 5+ developers = Vault pays off. Under that: AWS Secrets Manager ($0.40/secret/month, simpler) or encrypted environment variables work fine.

Related Articles

HashiCorp Vault CLI Install and GUI Setup Guide

HashiCorp Vault CLI Install and GUI Setup Guide

Complete step-by-step installation guide for HashiCorp Vault CLI and GUI client setup on Windows, macOS, and Linux

HashiCorp Vault: Reading and Writing Secrets

HashiCorp Vault: Reading and Writing Secrets

Master Vault CLI and CURL commands for secure secrets management with practical examples and response wrapping techniques

Vault Rekey Unseal Process | HashiCorp Security

Vault Rekey Unseal Process | HashiCorp Security

Master HashiCorp Vault unsealing, rekeying, and security management with step-by-step instructions and best practices

Need Expert IT & Security Guidance?

Our team is ready to help protect and optimize your business technology infrastructure.

Explore Our ServicesSchedule Consultation