Skip to main content
In this guide, we explore how to enable, configure, and consume Vault’s authentication methods. By default, Vault initializes with only the Token auth method. To integrate additional backends—such as cloud provider, AppRole, LDAP, or Kubernetes—you must explicitly enable and configure each one. Vault supports multiple auth methods simultaneously, allowing you to tailor access for different workloads, from human users to automated services. Common scenarios include:
  • Cloud-native applications leveraging provider-specific auth methods to eliminate embedded credentials.
  • Legacy applications using static credentials or external identity providers for compatibility.
The image is a slide titled "Auth Methods," explaining the requirements and default settings for authentication methods, including the use of tokens in new Vault deployments.

Default Token Authentication

Vault’s Token auth method is enabled by default and cannot be disabled or remounted under a different path. During initialization, Vault generates an initial root token: 
vault operator init
Use this root token to:
  1. Log in for the first time.
  2. Enable additional auth backends (e.g., LDAP, AWS, AppRole).
  3. Configure policies and roles.
  4. Rotate, revoke, or secure the root token once setup is complete.
Keep your initial root token secure. Rotate or revoke it after adding other auth methods to follow security best practices.

Enabling and Configuring Auth Backends

Auth methods can be managed via the CLI, the HTTP API, or the UI. While the UI is improving, full feature coverage is available through the CLI and API.
The image is a slide about "Auth Methods," explaining how they can be enabled, disabled, and configured using the UI, API, or CLI, and the need for a valid token with proper privileges.
To enable the AppRole auth method with the CLI: 
vault auth enable approle
Example output: 
Success! Enabled approle auth method at: approle/
Auth methods are mounted at a specific path—by default, the path matches the method name. To use a custom path, first disable the method, then re-enable it with the -path flag.

Custom Mount Path Example

vault auth disable approle
vault auth enable -path=custom-approle approle
Example output: 
Success! Enabled approle auth method at: custom-approle/
If you omit -path, Vault mounts the method at aws/, ldap/, etc., based on the method name.

Common Auth Methods and CLI Commands

Use this quick reference to enable frequently used Vault auth methods:
Auth MethodUse CaseCLI Command
TokenDefault method for users and rootvault login
AppRoleMachine-to-machine authenticationvault auth enable approle
AWSIAM-based cloud-native accessvault auth enable aws
LDAPEnterprise user directoryvault auth enable ldap
KubernetesPod service account integrationvault auth enable kubernetes

Next Steps

After mounting an auth method, configure its roles, policies, and settings according to your use case. For detailed instructions per backend, see the official documentation:

Watch Video