mirror of
https://github.com/hashicorp/vault.git
synced 2025-09-01 03:51:08 +02:00
3701dcf3ca
* saving because laptop is bad and should feel bad * save * make supported login types partial * add api-docs partial * update custom login docs * reword tip? * add delete section * address feedback, update using a direct link section * move tips down * remove table lines and see if that fixes build? * revert changes to custom-messages mdx * add line break? * format fixes * empty commit again * check vercel? * add line break * update "namespace" to be "namespace_path" * reduce use of "preferred" * address feedback * use "settings" to match GUI verbiage * missed a couple feedback comments * add "single" and "multiple" * fix link rendering * fix namespace-path typos for namespace params referencing namespace context * address feedback --------- Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
105 lines
2.5 KiB
Plaintext
105 lines
2.5 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Userpass - Auth Methods
|
|
description: >-
|
|
The "userpass" auth method allows users to authenticate with Vault using a
|
|
username and password.
|
|
---
|
|
|
|
# Userpass auth method
|
|
|
|
@include 'tips/custom-authn.mdx'
|
|
|
|
The `userpass` auth method allows users to authenticate with Vault using
|
|
a username and password combination.
|
|
|
|
The username/password combinations are configured directly to the auth
|
|
method using the `users/` path. This method cannot read usernames and
|
|
passwords from an external source.
|
|
|
|
The method lowercases all submitted usernames, e.g. `Mary` and `mary` are the
|
|
same entry.
|
|
|
|
This documentation assumes the Username & Password method is mounted at the default `/auth/userpass`
|
|
path in Vault. Since it is possible to enable auth methods at any location,
|
|
please update your CLI calls accordingly with the `-path` flag.
|
|
|
|
## Authentication
|
|
|
|
### Via the CLI
|
|
|
|
```shell-session
|
|
$ vault login -method=userpass \
|
|
username=mitchellh \
|
|
password=foo
|
|
```
|
|
|
|
### Via the API
|
|
|
|
```shell-session
|
|
$ curl \
|
|
--request POST \
|
|
--data '{"password": "foo"}' \
|
|
http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh
|
|
```
|
|
|
|
The response will contain the token at `auth.client_token`:
|
|
|
|
```json
|
|
{
|
|
"lease_id": "",
|
|
"renewable": false,
|
|
"lease_duration": 0,
|
|
"data": null,
|
|
"auth": {
|
|
"client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
|
|
"policies": ["admins"],
|
|
"metadata": {
|
|
"username": "mitchellh"
|
|
},
|
|
"lease_duration": 0,
|
|
"renewable": false
|
|
}
|
|
}
|
|
```
|
|
|
|
## Configuration
|
|
|
|
Auth methods must be configured in advance before users or machines can
|
|
authenticate. These steps are usually completed by an operator or configuration
|
|
management tool.
|
|
|
|
1. Enable the userpass auth method:
|
|
|
|
```shell-session
|
|
$ vault auth enable userpass
|
|
```
|
|
|
|
Enable the `userpass` auth method at the default `auth/userpass` path.
|
|
You can choose to enable the auth method at a different path with the `-path` flag:
|
|
|
|
```shell-session
|
|
$ vault auth enable -path=<path> userpass
|
|
```
|
|
|
|
1. Configure it with users that are allowed to authenticate:
|
|
|
|
```shell-session
|
|
$ vault write auth/<userpass:path>/users/mitchellh \
|
|
password=foo \
|
|
policies=admins
|
|
```
|
|
|
|
This creates a new user "mitchellh" with the password "foo" that will be
|
|
associated with the "admins" policy. This is the only configuration
|
|
necessary.
|
|
|
|
## User lockout
|
|
|
|
@include 'user-lockout.mdx'
|
|
|
|
## API
|
|
|
|
The Userpass auth method has a full HTTP API. Please see the [Userpass auth
|
|
method API](/vault/api-docs/auth/userpass) for more details.
|