Menu
I'm trying to get login/pass authentication working on Vault. When I try the method given in the API documentation here: https://www.vaultproject.io/api/auth/userpass/index.html#login
I get this error:
$ curl --request POST --data @payload.json https://<myurl>:8200/v1/auth/userpass/login/<mylogin> -k
{"errors":["missing client token"]}
And I can't find information on this error. It makes me wonder what happens, because I want to authenticate with login/pass to get the token, so that's just normal to not have it.
Here is the content of the payload.json:
{
"password": "foo"
}
Is there any way to login with username/password? This is the only fallback method I have when the user does not know its token.
Thanks!
236
The error "missing client token” is commonly encountered when authentication is using the wrong path. If we get any part of the path wrong, then Vault's ACL system will complain about a missing token.
Users can generate a personal access token from the settings page on their GitHub account. Authenticate using a GitHub token: $ vault login -method=github token=abcd1234 ## ... The output displays an example of login with the github method.
Vault trusts the platform, the platform launches and provides a credential to the application, the application provides that credential to Vault, which can be verified against the platform, completing the loop.
If the token is renewable, you can use vault token renew command to extend the token's TTL before it expires. You can repeatedly renew a token until it reaches its maximum TTL. For example, if a token's TTL is 30 minutes and the maximum TTL is 24 hours, you can renew the token before reaching the 30 minutes.
OK, so I figured it out by trials.
So the userpass AUTH was indeed disabled. I have to use LDAP auth. With the Vault-UI that is installed, I managed to find the URL to authenticate. If was the following : https://******:8200/v1/auth/<ldap>/login/<user>
And that way it's working.
Unfortunately, it does not help in the end. The idea was to synchronize Vault data locally, but the Vault API is really not built for that kind of access. It requires a LOT of requests, and end up being very slow for a few secrets synchronized.
118
Make sure you are logging in under the correct namespace. You will get this error if your authentication method is enabled under something other than the default namespace that your CLI tool is using.
You can specify the namespace with the -ns=my/namespace/ parameter or the VAULT_NAMESPACE environment variable.
For example, if your namespace is "desserts/icecream"
vault login -ns=desserts/icecream/ -method=userpass username=ian
# OR
export VAULT_NAMESPACE=desserts/icecream/
vault login -method=userpass username=ian
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
