Skip to main content
In this tutorial, you’ll learn how to configure and use Vault’s AppRole authentication method to grant machine clients read access to a KV secrets engine. By the end, you’ll create a policy, define an AppRole, and retrieve a client token using Role ID and Secret ID.

Prerequisites

  • A running Vault server
  • VAULT_ADDR environment variable set (e.g., export VAULT_ADDR=http://127.0.0.1:8200)
  • Vault CLI installed and authenticated as an administrator

1. Verify Enabled Auth Methods

By default, Vault includes the Token auth method. Let’s confirm: 
vault auth list
Example output: 
Path    Type    Accessor
----    ----    --------
token/  token   auth_token_9e81d3bb
You can also compare common methods:
Auth MethodPathDescription
tokentoken/Default client token login
approleapprole/Machine-based, non-human login

2. Enable AppRole Auth Method

Enable AppRole at the path approle/: 
vault auth enable approle
Expected response: 
Success! Enabled approle auth method at: approle/

3. Define a Read-Only KV Policy

Create a policy file named kv-policy.hcl: 
path "kv/data/*" {
  capabilities = ["read"]
}
Upload the policy to Vault: 
vault policy write kv-policy kv-policy.hcl

Success! Uploaded policy: kv-policy

4. Create and Configure the AppRole

4.1 Create the AppRole

Associate the kv-policy with a new AppRole called automation: 
vault write auth/approle/role/automation \
    policies="kv-policy"

Success! Data written to: auth/approle/role/automation

4.2 List and Inspect Roles

List all AppRole roles: 
vault list auth/approle/role

Keys
----
automation
Inspect the automation role’s settings: 
vault read auth/approle/role/automation

Key                       Value
---                       -----
bind_secret_id            true
policies                  [kv-policy]
token_ttl                 0s
token_max_ttl             0s
token_policies            [kv-policy]
...

4.3 (Optional) Set a Default Token TTL

Assign a 24-hour default token TTL to the automation role: 
vault write auth/approle/role/automation \
    token_ttl="24h"
Verify the update: 
vault read auth/approle/role/automation | grep token_ttl

token_ttl             24h

5. Retrieve the Role ID

The Role ID is a stable, unique identifier—think of it as a username. Fetch it with: 
vault read auth/approle/role/automation/role-id

Key      Value
---      -----
role_id  1dc0ddb7-2117-3dd2-b391-e5bdfc6a5389

6. Generate a Secret ID

The Secret ID is equivalent to a password. To get a one-time Secret ID, run: 
vault write -force auth/approle/role/automation/secret-id

Key                 Value
---                 -----
secret_id           83ef7b27-5c13-4051-79e1-5130d069f627
secret_id_accessor  6daa5f2e-e3f1-e29d-af10-65dd0860f23b
secret_id_ttl       0s
Treat both Role ID and Secret ID as sensitive credentials. Avoid exposing them in logs, version control, or shared terminals.

7. Authenticate with AppRole

Now request a Vault token by supplying your Role ID and Secret ID: 
vault write auth/approle/login \
    role_id="1dc0ddb7-2117-3dd2-b391-e5bdfc6a5389" \
    secret_id="83ef7b27-5c13-4051-79e1-5130d069f627"
Sample response: 
Key                   Value
---                   -----
token                 hvs.CAESlNhzOeu9SvYiHGAJBIt-Q-9-2Mrw...
token_duration        24h
token_renewable       true
token_policies        ["kv-policy" "default"]
...
You now hold a Vault token, renewable for 24 hours, with read-only access to kv/data/*.
AppRole is ideal for automation and CI/CD pipelines. You can also authenticate via the HTTP API:
POST /v1/auth/approle/login with JSON body:
{ "role_id": "...", "secret_id": "..." }
You have successfully configured Vault’s AppRole auth method. For more details, see the Vault AppRole Authentication Guide.

Watch Video

Practice Lab