This benchmark tests the performance of logins using the AppRole auth method.
role_name
(string: "benchmark-role")
- Name of the AppRole. Must be less than 4096 bytes, accepted characters include a-Z, 0-9, space, hyphen, underscore and periods.bind_secret_id
(bool: true)
- Requiresecret_id
to be presented when logging in using this AppRole.secret_id_bound_cidrs
(array: [])
- Comma-separated string or list of CIDR blocks; if set, specifies blocks of IP addresses which can perform the login operation.secret_id_num_uses
(integer: 0)
- Number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID by default will expire. A value of zero will allow unlimited uses. However, this option may be overridden by the request's 'num_uses' field when generating a SecretID.secret_id_ttl
(string: "")
- Duration in either an integer number of seconds (3600
) or an integer time unit (60m
) after which by default any SecretID expires. A value of zero will allow the SecretID to not expire. However, this option may be overridden by the request's 'ttl' field when generating a SecretID.local_secret_ids
(bool: false)
- If set, the secret IDs generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later.token_ttl
(string: "")
- The incremental lifetime for generated tokens. This current value of this will be referenced at renewal time.token_max_ttl
(string: "")
- The maximum lifetime for generated tokens. This current value of this will be referenced at renewal time.token_policies
(array: [])
- List of token policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.policies
(array: [])
- DEPRECATED: Please use thetoken_policies
parameter instead. List of token policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.token_bound_cidrs
(array: [])
- List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.token_explicit_max_ttl
(string: "")
- If set, will encode an explicit max TTL onto the token. This is a hard cap even iftoken_ttl
andtoken_max_ttl
would otherwise allow a renewal.token_no_default_policy
(bool: false)
- If set, thedefault
policy will not be set on generated tokens; otherwise it will be added to the policies set intoken_policies
.token_num_uses
(integer: 0)
- The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. If you require the token to have the ability to create child tokens, you will need to set this value to 0.token_period
(string: "")
- The maximum allowed period value when a periodic token is requested from this role.token_type
(string: "")
- The type of token that should be generated. Can beservice
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.
metadata
(string: "")
- Metadata to be tied to the SecretID. This should be a JSON-formatted string containing the metadata in key-value pairs. This metadata will be set on tokens issued with this SecretID, and is logged in audit logs in plaintext.cidr_list
(array: [])
- Comma separated string or list of CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. Ifsecret_id_bound_cidrs
is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.token_bound_cidrs
(array: [])
- Comma-separated string or list of CIDR blocks; if set, specifies blocks of IP addresses which can use the auth tokens generated by this SecretID. Overrides any role-set value but must be a subset.num_uses
(integer: 0)
- Number of times this SecretID can be used, after which the SecretID expires. A value of zero will allow unlimited uses. Overridessecret_id_num_uses
role option when supplied. May not be higher than role'ssecret_id_num_uses
.ttl
(string: "")
- Duration in seconds (3600
) or an integer time unit (60m
) after which this SecretID expires. A value of zero will allow the SecretID to not expire. Overridessecret_id_ttl
role option when supplied. May not be longer than role'ssecret_id_ttl
.
test "approle_auth" "approle_test1" {
weight = 100
config {
role {
role_name = "test"
bind_secret_id = true
token_ttl = "10m"
token_type = "batch"
}
secret_id {
token_bound_cidrs = ["1.2.3.4/32"]
ttl = "10m"
}
}
}