<img src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=150 align="right">
<img src=images/Acme.jpeg width=100 align="left">


# UC-4 App Role Authentication
---
## Business Values
 * Provide a way for operators to manage policy without being involved in generating tokens or creds for applications (minimize coordination) 
 * Operators have less work to do
 * Orchestration tools can take over the task of giving applications secrets access

## How AppRole Auth Method works

Vault provides internal and external authentication methods.  External methods are called *tusted third-party authenticators* such as AWS, LDAP, Github, etc.

In some situations trusted third-party authenticator is not available, so Vault has an alternate approach - **AppRole**
* AppRole generates **RoleID** and **SecretID**
    - RoleID is an identifier similar to username
    - SecretID is a credential to login (similart to password)  

<br />   
<img src="images/vault-approle-workflow.png" width=1000>
<img src="images/vault-approle-pull.png" width=1000>
<img src="images/vault-approle-push.png" width=1000>

### Setup
---

In [29]:
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=root
export VAULT_SKIP_VERIFY=true

In [30]:
vault login s.WS9F9o1f39UFHRLt6SPF5ttl

over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed
below.
[0m
[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                  Value
---                  -----
token                s.WS9F9o1f39UFHRLt6SPF5ttl
token_accessor       GNbiLOOigffWwMbmLADBs8rz
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"][0m


In [23]:
vault status

[0mKey             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.6.0
Storage Type    inmem_transactional_ha
Cluster Name    vault-cluster-3ae53707
Cluster ID      fdc39d7d-439d-9ff2-6a40-52755bf3f127
HA Enabled      true
HA Cluster      https://127.0.0.1:8201
HA Mode         active[0m


In [5]:
vault -version

[0mVault v1.6.0 (7ce0bd9691998e0443bc77e98b1e2a4ab1e965d4)[0m


### Demo
---

### Enable the approle authentication method


In [31]:
vault auth enable approle

[0mSuccess! Enabled approle auth method at: approle/[0m


### Create a secret
NOTE: num_uses determines how many times secret can be used.

In this example, a SecretID of the myapp role can be used for up to 5 times to authenticate and fetch a client token. After the number of uses is reached, the SecretID expires and you would need to generate a new one. This is similar to forcing a password rotation.

In [32]:
vault write auth/approle/role/myapp secret_id_num_uses=3 secret_id_ttl=5m

[0mSuccess! Data written to: auth/approle/role/myapp[0m


##### Read the secret

In [35]:
vault read auth/approle/role/myapp

[0mKey                        Value
---                        -----
bind_secret_id             true
local_secret_ids           false
secret_id_bound_cidrs      <nil>
secret_id_num_uses         3
secret_id_ttl              5m
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             []
token_ttl                  0s
token_type                 default[0m


### Create a role id 
Typically a constant value, provide this to the app developer team

In [24]:
vault read auth/approle/role/myapp/role-id

[0mKey        Value
---        -----
role_id    57013b74-fe4e-8f75-9421-e820c087af4c[0m


**Attempt to read the role id (same as above) using the API**. 


In [15]:
export APPROLE="myapp"
ROLE_ID=$(curl -s -H "X-Vault-Token: ${VAULT_TOKEN}" "http://127.0.0.1:8200/v1/auth/approle/role/${APPROLE}/role-id" | jq -r '.data.role_id')
echo $ROLE_ID

57013b74-fe4e-8f75-9421-e820c087af4c


### Generate a Secret ID  

In [34]:
vault write -f auth/approle/role/myapp/secret-id

[0mKey                   Value
---                   -----
secret_id             ed9b5c4a-4812-bdbe-53f6-bb3e135ab35a
secret_id_accessor    99da6c05-3746-c4a9-e59f-1931961dd63a[0m


In [36]:
vault write -f auth/approle/role/myapp/secret-id

[0mKey                   Value
---                   -----
secret_id             4b9899d0-a809-6c3d-7e03-508a1ea220a2
secret_id_accessor    a47def99-bea8-5cd0-c8eb-58ed05279112[0m


**Using CURL instead**  

In [27]:
SECRET_ID=$(curl -s -X POST -H "X-Vault-Token:${VAULT_TOKEN}" "http://127.0.0.1:8200/v1/auth/approle/role/${APPROLE}/secret-id" | jq -r '.data.secret_id')
echo ${SECRET_ID}

a1e26f40-411f-87b3-6f0d-650f35ace0c6


### Write a new login with `role id` and `secret id`from to get the token for logging into Vault

In [18]:
vault write auth/approle/login role_id=${ROLE_ID} secret_id=${SECRET_ID}


[0mKey                     Value
---                     -----
token                   s.68FTaderWJj7hsNXhR7AY8Qh
token_accessor          YfHmC1QBwxXvQfsXQuSiVZkP
token_duration          768h
token_renewable         true
token_policies          ["default"]
identity_policies       []
policies                ["default"]
token_meta_role_name    myapp[0m


**Again, we can do the same using CURL**

In [19]:
APP_ROLE_TOKEN=$(curl -s -X POST -d '{"role_id": "'"${ROLE_ID}"'", "secret_id": "'"${SECRET_ID}"'"}' http://127.0.0.1:8200/v1/auth/approle/login | jq -r '.auth.client_token')
echo ${APP_ROLE_TOKEN}

s.kLjjGfmN6wOB006n2mB0Z9Fi


In [None]:
vault login ${APP_ROLE_TOKEN}

## Response Wrap the SecretID
The RoleID is equivalent to a username, and SecretID is the corresponding password. The app needs both to log in with Vault. Naturally, the next question becomes how to deliver those values to the client securely.

A common solution involves three personas instead of two: admin, app, and trusted entity. The trusted entity delivers the RoleID and SecretID to the client by separate means.

For example, Terraform as a trusted entity can deliver the RoleID onto the virtual machine. When the app runs on the virtual machine, the RoleID already exists on the virtual machine.

<img src="images/vault-approle-workflow2.png">

### View Vault via a browser
Open a web browser and visit http://127.0.0.1:8200/ui/vault Use **TOKEN** and Sign in

&nbsp;

---
#### Thank you.
<img src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=100 align="left">