layout | page_title | description |
---|---|---|
docs |
Userpass - Auth Methods |
The "userpass" auth method allows users to authenticate with Vault using a username and password. |
The userpass
auth method allows users to authenticate with Vault using
a username and password combination.
The username/password combinations are configured directly to the auth
method using the users/
path. This method cannot read usernames and
passwords from an external source.
The method lowercases all submitted usernames, e.g. Mary
and mary
are the
same entry.
This documentation assumes the Username & Password method is mounted at the default /auth/userpass
path in Vault. Since it is possible to enable auth methods at any location,
please update your CLI calls accordingly with the -path
flag.
$ vault login -method=userpass \
username=mitchellh \
password=foo
$ curl \
--request POST \
--data '{"password": "foo"}' \
http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh
The response will contain the token at auth.client_token
:
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"auth": {
"client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
"policies": ["admins"],
"metadata": {
"username": "mitchellh"
},
"lease_duration": 0,
"renewable": false
}
}
Auth methods must be configured in advance before users or machines can authenticate. These steps are usually completed by an operator or configuration management tool.
-
Enable the userpass auth method:
$ vault auth enable userpass
Enable the userpass
auth method at the default auth/userpass
path.
You can choose to enable the auth method at a different path with the -path
flag:
$ vault auth enable -path=<path> userpass
-
Configure it with users that are allowed to authenticate:
$ vault write auth/<userpass:path>/users/mitchellh \ password=foo \ policies=admins
This creates a new user "mitchellh" with the password "foo" that will be associated with the "admins" policy. This is the only configuration necessary.
@include 'user-lockout.mdx'
The Userpass auth method has a full HTTP API. Please see the Userpass auth method API for more details.