Authentication Method Configuration

Intermediate

Configure Vault authentication methods properly — prefer machine identity (AppRole, Kubernetes, AWS IAM) over static tokens, set appropriate TTLs, and enforce MFA for human operators.

File Patterns

**/*.hcl**/vault/****/*.sh

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# Authentication Method Configuration

## Rule
Production applications MUST use machine identity auth methods (AppRole, Kubernetes, AWS IAM). Human operators MUST use OIDC/LDAP with MFA. Never distribute static Vault tokens.

## Auth Method Selection
| Client | Auth Method | Why |
|--------|-------------|-----|
| Kubernetes pods | Kubernetes auth | Native service account identity |
| AWS EC2/Lambda | AWS IAM auth | Instance identity document |
| CI/CD pipelines | AppRole | Secret ID rotation |
| Human operators | OIDC / LDAP | SSO integration + MFA |
| Terraform | AppRole or AWS IAM | Automated infrastructure |

## Good Examples
```bash
# Enable Kubernetes auth
vault auth enable kubernetes
vault write auth/kubernetes/config \
  kubernetes_host="https://kubernetes.default.svc" \
  kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

# Create Kubernetes auth role
vault write auth/kubernetes/role/backend-app \
  bound_service_account_names=backend-app \
  bound_service_account_namespaces=production \
  policies=prod-backend-app \
  ttl=1h \
  max_ttl=4h

# Enable AppRole auth for CI/CD
vault auth enable approle
vault write auth/approle/role/ci-deploy \
  secret_id_ttl=10m \
  token_ttl=20m \
  token_max_ttl=30m \
  policies=staging-deploy

# OIDC for human operators
vault auth enable oidc
vault write auth/oidc/config \
  oidc_discovery_url="https://accounts.google.com" \
  oidc_client_id="vault-client-id" \
  oidc_client_secret="vault-client-secret" \
  default_role="operator"
```

## Bad Examples
```bash
# BAD: Static tokens in environment variables
export VAULT_TOKEN="hvs.CAESIG..."
# Tokens don't rotate, can be leaked in logs, no audit trail

# BAD: Userpass auth for applications
vault auth enable userpass
vault write auth/userpass/users/myapp password="hardcoded"
# Password in config files, no rotation

# BAD: Long-lived tokens
vault write auth/approle/role/app \
  token_ttl=720h \
  token_max_ttl=8760h  # 1 year token!
```

## Enforcement
- Disable userpass and token auth for non-operator use
- Maximum token TTL of 4 hours for applications
- Audit log all authentication events
- Rotate AppRole secret IDs automatically in CI

FAQ

Discussion

Loading comments...

# Authentication Method Configuration ## Rule Production applications MUST use machine identity auth methods (AppRole, Kubernetes, AWS IAM). Human operators MUST use OIDC/LDAP with MFA. Never distribute static Vault tokens. ## Auth Method Selection | Client | Auth Method | Why | |--------|-------------|-----| | Kubernetes pods | Kubernetes auth | Native service account identity | | AWS EC2/Lambda | AWS IAM auth | Instance identity document | | CI/CD pipelines | AppRole | Secret ID rotation | | Human operators | OIDC / LDAP | SSO integration + MFA | | Terraform | AppRole or AWS IAM | Automated infrastructure | ## Good Examples ```bash # Enable Kubernetes auth vault auth enable kubernetes vault write auth/kubernetes/config \ kubernetes_host="https://kubernetes.default.svc" \ kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt # Create Kubernetes auth role vault write auth/kubernetes/role/backend-app \ bound_service_account_names=backend-app \ bound_service_account_namespaces=production \ policies=prod-backend-app \ ttl=1h \ max_ttl=4h # Enable AppRole auth for CI/CD vault auth enable approle vault write auth/approle/role/ci-deploy \ secret_id_ttl=10m \ token_ttl=20m \ token_max_ttl=30m \ policies=staging-deploy # OIDC for human operators vault auth enable oidc vault write auth/oidc/config \ oidc_discovery_url="https://accounts.google.com" \ oidc_client_id="vault-client-id" \ oidc_client_secret="vault-client-secret" \ default_role="operator" ``` ## Bad Examples ```bash # BAD: Static tokens in environment variables export VAULT_TOKEN="hvs.CAESIG..." # Tokens don't rotate, can be leaked in logs, no audit trail # BAD: Userpass auth for applications vault auth enable userpass vault write auth/userpass/users/myapp password="hardcoded" # Password in config files, no rotation # BAD: Long-lived tokens vault write auth/approle/role/app \ token_ttl=720h \ token_max_ttl=8760h # 1 year token! ``` ## Enforcement - Disable userpass and token auth for non-operator use - Maximum token TTL of 4 hours for applications - Audit log all authentication events - Rotate AppRole secret IDs automatically in CI