Vault
Userpass Auth Method (HTTP API)
This is the API documentation for the Vault Username & Password auth method. For general information about the usage and operation of the Username and Password method, please see the Vault Userpass method documentation.
This documentation assumes the Username & Password method is mounted at the /auth/userpass
path in Vault. Since it is possible to enable auth methods at any location,
please update your API calls accordingly.
Create/Update User
Create a new user or update an existing user. This path honors the distinction between the create and update capabilities inside ACL policies.
| Method | Path |
|---|---|
POST | /auth/userpass/users/:username |
Parameters
username(string: <required>)– The username for the user. Accepted characters: alphanumeric plus "_", "-", "." (underscore, hyphen and period); username cannot begin with a hyphen, nor can it begin or end with a period.password(string: <required>)- The password for the user. Only required when creating the user.
token_ttl(integer: 0 or string: "")- The incremental lifetime for generated tokens. This current value of this will be referenced at renewal time.token_max_ttl(integer: 0 or string: "")- The maximum lifetime for generated tokens. This current value of this will be referenced at renewal time.token_policies(array: [] or comma-delimited string: "")- List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
token_bound_cidrs(array: [] or comma-delimited string: "")- List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.token_explicit_max_ttl(integer: 0 or string: "")- If set, will encode an explicit max TTL onto the token. This is a hard cap even iftoken_ttlandtoken_max_ttlwould otherwise allow a renewal.token_no_default_policy(bool: false)- If set, thedefaultpolicy will not be set on generated tokens; otherwise it will be added to the policies set intoken_policies.token_num_uses(integer: 0)- The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. If you require the token to have the ability to create child tokens, you will need to set this value to 0.token_period(integer: 0 or string: "")- The period, if any, to set on the token.token_type(string: "")- The type of token that should be generated. Can beservice,batch, ordefaultto use the mount's tuned default (which unless changed will beservicetokens). For token store roles, there are two additional possibilities:default-serviceanddefault-batchwhich specify the type to return unless the client requests a different type at generation time.
Sample Payload
{
"password": "superSecretPassword",
"policies": "admin,default",
"bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"]
}
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
Read User
Reads the properties of an existing username.
| Method | Path |
|---|---|
GET | /auth/userpass/users/:username |
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
Sample Response
{
"request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"max_ttl": 0,
"policies": ["default", "dev"],
"ttl": 0
},
"warnings": null
}
Delete User
This endpoint deletes the user from the method.
| Method | Path |
|---|---|
DELETE | /auth/userpass/users/:username |
Parameters
username(string: <required>)- The username for the user.
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
Update Password on User
Update password for an existing user.
| Method | Path |
|---|---|
POST | /auth/userpass/users/:username/password |
Parameters
username(string: <required>)– The username for the user.password(string: <required>)- The password for the user.
Sample Payload
{
"password": "superSecretPassword2"
}
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh/password
Update Policies on User
Update policies for an existing user.
| Method | Path |
|---|---|
POST | /auth/userpass/users/:username/policies |
Parameters
username(string: <required>)– The username for the user.policies(string: "")– Comma-separated list of policies. If set to empty
Sample Payload
{
"policies": ["policy1", "policy2"]
}
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh/policies
List Users
List available userpass users.
| Method | Path |
|---|---|
LIST | /auth/userpass/users |
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/auth/userpass/users
Sample Response
{
"data": {
"keys": ["mitchellh", "armon"]
}
}
Login
Login with the username and password.
| Method | Path |
|---|---|
POST | /auth/userpass/login/:username |
Parameters
username(string: <required>)– The username for the user.password(string: <required>)- The password for the user.
Sample Payload
{
"password": "superSecretPassword2"
}
Sample Request
$ curl \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh
Sample Response
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"warnings": null,
"auth": {
"client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
"accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
"policies": ["default"],
"metadata": {
"username": "mitchellh"
},
"lease_duration": 7200,
"renewable": true
}
}