mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-22 15:11:07 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
108 lines
3.0 KiB
Plaintext
108 lines
3.0 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Userpass - Auth Methods
|
|
description: >-
|
|
The "userpass" auth method allows users to authenticate with Vault using a
|
|
username and password.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# Userpass auth method
|
|
|
|
@include 'tips/custom-authn.mdx'
|
|
|
|
The `userpass` auth method allows users to authenticate with Vault using
|
|
a username and password combination.
|
|
|
|
The username/password combinations are configured directly to the auth
|
|
method using the `users/` path. This method cannot read usernames and
|
|
passwords from an external source.
|
|
|
|
The method lowercases all submitted usernames, e.g. `Mary` and `mary` are the
|
|
same entry.
|
|
|
|
This documentation assumes the Username & Password method is mounted at the default `/auth/userpass`
|
|
path in Vault. Since it is possible to enable auth methods at any location,
|
|
please update your CLI calls accordingly with the `-path` flag.
|
|
|
|
## Authentication
|
|
|
|
### Via the CLI
|
|
|
|
```shell-session
|
|
$ vault login -method=userpass \
|
|
username=mitchellh \
|
|
password=foo
|
|
```
|
|
|
|
### Via the API
|
|
|
|
```shell-session
|
|
$ curl \
|
|
--request POST \
|
|
--data '{"password": "foo"}' \
|
|
http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh
|
|
```
|
|
|
|
The response will contain the token at `auth.client_token`:
|
|
|
|
```json
|
|
{
|
|
"lease_id": "",
|
|
"renewable": false,
|
|
"lease_duration": 0,
|
|
"data": null,
|
|
"auth": {
|
|
"client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
|
|
"policies": ["admins"],
|
|
"metadata": {
|
|
"username": "mitchellh"
|
|
},
|
|
"lease_duration": 0,
|
|
"renewable": false
|
|
}
|
|
}
|
|
```
|
|
|
|
## Configuration
|
|
|
|
Auth methods must be configured in advance before users or machines can
|
|
authenticate. These steps are usually completed by an operator or configuration
|
|
management tool.
|
|
|
|
1. Enable the userpass auth method:
|
|
|
|
```shell-session
|
|
$ vault auth enable userpass
|
|
```
|
|
|
|
Enable the `userpass` auth method at the default `auth/userpass` path.
|
|
You can choose to enable the auth method at a different path with the `-path` flag:
|
|
|
|
```shell-session
|
|
$ vault auth enable -path=<path> userpass
|
|
```
|
|
|
|
1. Configure it with users that are allowed to authenticate:
|
|
|
|
```shell-session
|
|
$ vault write auth/<userpass:path>/users/mitchellh \
|
|
password=foo \
|
|
policies=admins
|
|
```
|
|
|
|
This creates a new user "mitchellh" with the password "foo" that will be
|
|
associated with the "admins" policy. This is the only configuration
|
|
necessary.
|
|
|
|
## User lockout
|
|
|
|
@include 'user-lockout.mdx'
|
|
|
|
## API
|
|
|
|
The Userpass auth method has a full HTTP API. Please see the [Userpass auth
|
|
method API](/vault/api-docs/auth/userpass) for more details.
|