mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-22 15:11:07 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
59 lines
2.7 KiB
Plaintext
59 lines
2.7 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Auth Methods
|
|
description: Auth methods are mountable methods that perform authentication for Vault.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# Auth methods
|
|
|
|
Auth methods are the components in Vault that perform authentication and are
|
|
responsible for assigning identity and a set of policies to a user. In all cases,
|
|
Vault will enforce authentication as part of the request processing. In most cases,
|
|
Vault will delegate the authentication administration and decision to the relevant configured
|
|
external auth method (e.g., Amazon Web Services, GitHub, Google Cloud Platform, Kubernetes, Microsoft
|
|
Azure, Okta ...).
|
|
|
|
Having multiple auth methods enables you to use an auth method that makes the
|
|
most sense for your use case of Vault and your organization.
|
|
|
|
To learn more about authentication, see the
|
|
[authentication concepts page](/vault/docs/concepts/auth).
|
|
|
|
## Enabling/Disabling auth methods
|
|
|
|
Auth methods can be enabled/disabled using the CLI or the API.
|
|
|
|
```shell-session
|
|
$ vault auth enable userpass
|
|
```
|
|
|
|
When enabled, auth methods are similar to [secrets engines](/vault/docs/secrets):
|
|
they are mounted within the Vault mount table and can be accessed
|
|
and configured using the standard read/write API. All auth methods are mounted underneath the `auth/` prefix.
|
|
|
|
By default, auth methods are mounted to `auth/<type>`. For example, if you
|
|
enable "github", then you can interact with it at `auth/github`. However, this
|
|
path is customizable, allowing users with advanced use cases to mount a single
|
|
auth method multiple times.
|
|
|
|
```shell-session
|
|
$ vault auth enable -path=my-login userpass
|
|
```
|
|
|
|
When an auth method is disabled, all users authenticated via that method are
|
|
automatically logged out.
|
|
|
|
## External auth method considerations
|
|
|
|
When using an external auth method (e.g., GitHub), Vault will call the external service
|
|
at the time of authentication and for subsequent token renewals. If the status
|
|
of an entity changes in the external system (e.g., an account expires or is
|
|
disabled), Vault denies requests to **renew** tokens associated with the entity.
|
|
However, any existing token remain valid for the original grant period unless
|
|
they are explicitly revoked within Vault. Operators should set appropriate
|
|
[token TTLs](/vault/docs/concepts/tokens#the-general-case) when using external
|
|
authN methods.
|