Why read in role-id and write in secret-id in Vault AppRole auth method

Question

I have a question about when we configure the approle auth method of the vault, After the configuration of the approle, we need the role-id and secret-id to obtain the token and to do the further vault operations.

vault write auth/approle/role/test-role token_ttl=15m token_max_ttl=30m
vault read auth/approle/role/test-role/role-id
vault write -f auth/approle/role/test-role/secret-id
vault write auth/approle/login role_id=<role-id> secret_id=<secret-id>

Why there is not a read operation on secret-id ??

can't we just do this: vault read auth/approle/role/test-role/secret-id

Any Reason behind doing this?, and why there is a write operation on secret-id??

score 2 · Answer 1 · answered Jul 17 '22 at 09:37

2

secret_id is somehow similar to a token: it is dynamic, TTLed and can (and should) be recreated with write multiple times. role_id, on the other hand, is a more static entity, something like a username.

answered Jul 17 '22 at 09:37

muzzy

21
1
3

Why read in role-id and write in secret-id in Vault AppRole auth method

1 Answers1