In this guide, we’ll walk through how to manage HashiCorp Vault authentication methods (auth backends) using the Vault CLI. You’ll learn to enable, list, disable, tune, and interact with backends such as userpass and approle in a consistent, repeatable way.
Viewing Available Auth Subcommands Start by inspecting the top-level vault auth command:
To see commonly used subcommands:
Command Description vault auth listList all enabled auth methods vault auth enable [TYPE]Enable a new auth backend vault auth disable [PATH]Disable an existing auth backend vault auth tune [OPTIONS]Update mount settings (e.g., TTLs, descriptions) vault auth help [BACKEND]Show detailed help for a specific auth backend
You can also run:
vault auth help userpass vault auth help approle
to get backend-specific guidance.
Enabling and Listing Auth Methods 1. Enable userpass at the Default Path vault auth enable userpass # Success! Enabled userpass auth method at: userpass/
Verify it’s enabled:
vault auth list # Path Type Accessor # ---- ---- --------- # token/ token auth_token_... # userpass/ userpass auth_userpass_...
2. Enable userpass on a Custom Path vault auth enable -path=vault-course userpass # Success! Enabled userpass auth method at: vault-course/
List both mounts:
vault auth list # Path Type Accessor # ---- ---- --------- # token/ token auth_token_... # userpass/ userpass auth_userpass_... # vault-course/ userpass auth_userpass_...
Disabling Auth Methods
Disabling an auth method immediately revokes any credentials issued under that mount.
1. Remove the Default userpass Mount vault auth disable userpass # Success! Disabled the auth method at: userpass/
Confirm removal:
vault auth list # Path Type Accessor # ---- ---- --------- # token/ token auth_token_... # vault-course/ userpass auth_userpass_...
2. Clean Up the Custom Mount vault auth disable vault-course # Success! Disabled the auth method at: vault-course/
Only the token backend remains:
vault auth list # Path Type Accessor # ---- ---- --------- # token/ token auth_token_...
Adding a Description When Mounting Descriptions must be provided at mount time. Any existing mount must be disabled first.
vault auth disable userpass
You cannot add or update a description on an existing mount. Always set it when you enable the backend.
vault auth enable \ -path=bryan \ -description= "Local credentials for Vault access" \ userpass # Success! Enabled userpass auth method at: bryan/
Verify the description:
vault auth list # Path Type Accessor Description # ---- ---- -------- ----------- # bryan/ userpass auth_userpass_... Local credentials for Vault access # token/ token auth_token_... token based credentials
Tuning an Auth Method Adjust the default lease TTL for tokens issued via the bryan mount:
vault auth tune \ -default-lease-ttl=24h \ bryan/ # Success! Tuned the auth method at: bryan/
Configuring the userpass Backend Create a User in bryan vault write auth/bryan/users/krausen \ password=vault \ policies=bryan # Success! Data written to: auth/bryan/users/krausen
List and Read User Details vault list auth/bryan/users # Keys # ---- vault read auth/bryan/users/krausen # Key Value # --- ----- # policies [bryan] # token_bound_cidrs [] # token_policies [bryan] # token_ttl 0s # token_type default
Different backends accept different parameters—for example, approle uses role instead of users.
Example: Enabling and Configuring AppRole
Enable the AppRole Method vault auth enable approle # Success! Enabled approle auth method at: approle/
Create a Role with a 20-Minute Token TTL vault write auth/approle/role/bryan \ token_ttl=20m \ policies=bryan # Success! Data written to: auth/approle/role/bryan
AppRole is recommended for machine-to-machine authentication and automated workflows.
Conclusion You’ve learned how to:
Enable and list Vault auth methods
Disable mounts safely
Add metadata (descriptions)
Tune mount configurations
Create and manage users in userpass
Configure an AppRole backend
These CLI patterns apply to all Vault authentication backends—just adjust paths, parameters, and payloads to fit your use case.
Links and References 
