Oh boy, here I go again, studying and writing notes for a HashiCorp cert. This time it’s the Vault Associate. As before, hopefully they’re of use to me, and you!

I’ll be posting each major exam area individually, to keep things human.


1. Compare authentication methods

1a. Describe authentication methods

  • Auth methods are how Vault assigns identity/policy to a user
  • Multiple auth methods available, covering many use cases
    • e.g. GitHub auth method is useful for people, AppRole is useful for machines
  • Auth methods are enabled/disabled by CLI or API
  • All auth methods are mounted under the /auth prefix, however the path can be customised
  • The same auth method can be mounted multiple times
  • After a client authenticates against an auth method, they are issued a token. The token may have attached policy. The policy is mapped at auth time
  • It’s not possible to force a user to auth against multiple auth methods, though MFA is possible with some backends
# enable the userpass auth method
$ vault auth enable userpass
Success! Enabled userpass auth method at: userpass/

# enable the userpass auth method at another path
$ vault auth enable -path=my-login userpass
Success! Enabled userpass auth method at: my-login/

# an alternate way of enabling an auth method
$ vault write sys/auth/my-auth type=userpass
Success! Data written to: sys/auth/my-auth

# list auth methods
$ vault auth list
Path         Type        Accessor                  Description
----         ----        --------                  -----------
my-auth/     userpass    auth_userpass_23a812e6    n/a
my-login/    userpass    auth_userpass_57e8bdd5    n/a
token/       token       auth_token_8fe964a8       token based credentials
userpass/    userpass    auth_userpass_ae1dbd20    n/a

1b. Choose an authentication method based on use case

Q. A developer wants to login to the Vault UI to check that some secrets exist. All the developers in the organisation are using GitHub A. Use the GitHub auth method

Q. An operations engineer needs to configure a new auth method on a vault server. The organisation uses Microsoft AD to manage their staff identities A. Use the LDAP auth method

Q. A pod on Kubernetes needs to authenticate against Vault to pull secrets needed to run an application A. Use the Kubernetes auth method

1c. Differentiate human vs. system auth methods

  • Human auth methods are typically intended to be accessed by the CLI or UI
  • System auth methods typically use the API

Here ends part one! 1c. looks a little skinny to me but I really didn’t get much more from the docs. I’ll add to it if more comes up later.