From 0fc55a2f02fd17699dd77f4327d928e38354c8e5 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Fri, 16 Jun 2023 15:41:06 -0400 Subject: [PATCH] backport of commit d76424cb53c730da5410ec55bff3274a01212843 (#21328) Co-authored-by: Violet Hynes --- website/content/api-docs/auth/app-id.mdx | 18 --- website/content/docs/auth/app-id.mdx | 124 ------------------ .../content/docs/commands/license/index.mdx | 9 +- website/data/api-docs-nav-data.json | 9 -- website/data/docs-nav-data.json | 9 -- 5 files changed, 1 insertion(+), 168 deletions(-) delete mode 100644 website/content/api-docs/auth/app-id.mdx delete mode 100644 website/content/docs/auth/app-id.mdx diff --git a/website/content/api-docs/auth/app-id.mdx b/website/content/api-docs/auth/app-id.mdx deleted file mode 100644 index bca5712a3bb0..000000000000 --- a/website/content/api-docs/auth/app-id.mdx +++ /dev/null @@ -1,18 +0,0 @@ ---- -layout: api -page_title: AppID - Auth Methods - HTTP API -description: This is the API documentation for the Vault App ID auth method. ---- - -# AppID Auth Method (API) - -~> This API is deprecated and will be removed in a future version of Vault. -Please use AppRole instead. - -This is the API documentation for the Vault App ID auth method. For -general information about the usage and operation of the App ID method, please -see the [Vault App ID method documentation](/vault/docs/auth/app-id). - -This documentation assumes the App ID method is mounted at the `/auth/app-id` -path in Vault. Since it is possible to enable auth methods at any location, -please update your API calls accordingly. diff --git a/website/content/docs/auth/app-id.mdx b/website/content/docs/auth/app-id.mdx deleted file mode 100644 index 34fb117b6b1f..000000000000 --- a/website/content/docs/auth/app-id.mdx +++ /dev/null @@ -1,124 +0,0 @@ ---- -layout: docs -page_title: AppID - Auth Methods -description: The AppID auth method is a mechanism for machines to authenticate with Vault. ---- - -# AppID Auth Method - -~> **DEPRECATED!** As of Vault 0.6.1, AppID is deprecated in favor of -[AppRole](/vault/docs/auth/approle). AppRole can accommodate the same workflow as -AppID while enabling much more secure and flexible management and other types -of authentication workflows. No new features or enhancements are planned for App -ID, and new users should use AppRole instead of AppID. - -The AppID auth method is a mechanism for machines to authenticate with Vault. -It works by requiring two hard-to-guess unique pieces of information: a unique -app ID, and a unique user ID. - -The goal of this auth method is to allow elastic users (dynamic -machines, containers, etc.) to authenticate with Vault without having to store -passwords outside of Vault. It is a single method of solving the -chicken-and-egg problem of setting up Vault access on a machine. With this -provider, nobody except the machine itself has access to both pieces of -information necessary to authenticate. For example: configuration management -will have the app IDs, but the machine itself will detect its user ID based on -some unique machine property such as a MAC address (or a hash of it with some -salt). - -An example, real world process for using this provider: - -1. Create unique app IDs (UUIDs work well) and map them to policies. (Path: - `map/app-id/`) - -2. Store the app IDs within configuration management systems. - -3. An out-of-band process run by security operators map unique user IDs to - these app IDs. Example: when an instance is launched, a cloud-init system - tells security operators a unique ID for this machine. This process can be - scripted, but the key is that it is out-of-band and out of reach of - configuration management. (Path: `map/user-id/`) - -4. A new server is provisioned. Configuration management configures the app - ID, the server itself detects its user ID. With both of these pieces of - information, Vault can be accessed according to the policy set by the app - ID. - -More details on this process follow: - -- The app ID is a unique ID that maps to a set of policies. This ID is generated - by an operator and configured into the method. The ID itself is usually a - UUID-formatted random value, but any hard-to-guess unique value can be used. - -- After creating app IDs, an operator authorizes a fixed set of user IDs with - each app ID. When a valid {app ID, user ID} tuple is given to the "login" - path, then the user is authenticated with the configured app ID policies. - -- The user ID can be any value (just like the app ID), however it is generally a - value unique to a machine, such as a MAC address or instance ID, or a value - hashed from these unique values. - -## Authentication - -Via the CLI: - -```shell-session -$ vault write auth/app-id/login/:app-id user_id=:user_id -``` - -Via the API: - -```shell-session -$ curl \ - --method POST \ - --data '{"user_id": ":user_id"}' \ - http://127.0.0.1:8200/v1/auth/app-id/login/:app_id -``` - -## Configuration - -Auth methods must be configured in advance before users or machines can -authenticate. These steps are usually completed by an operator or configuration -management tool. - -1. Enable the AppID auth method: - - ```text - $ vault auth enable app-id - ``` - -1. Configure it with the set of AppIDs, user IDs, and the mapping between them: - - ```text - $ vault write auth/app-id/map/app-id/foo value=admins display_name=foo - # ... - - $ vault write auth/app-id/map/user-id/bar value=foo cidr_block=10.0.0.0/16 - # ... - ``` - - This will create an AppID "foo" that associates with the policy "admins". - The `display_name` sets the display name for audit logs and secrets. Next, - we configure the user ID "bar" and say that the user ID bar can be paired - with "foo" but only if the client is in the "10.0.0.0/16" CIDR block. The - `cidr_block` configuration is optional. - - This means that if a client authenticates and provide both "foo" and "bar", - then the app ID will authenticate that client with the policy "admins". - - In practice, both the user and app ID are likely hard-to-guess UUID-like - values. - - Note that it is possible to authorize multiple app IDs with each user ID by - writing them as comma-separated values to the user ID mapping: - - ```text - $ vault write auth/app-id/map/user-id/bar value=foo,baz cidr_block=10.0.0.0/16 - # ... - ``` - -## API - -The AppID auth method has a full HTTP API. Please see the -[AppID auth method API](/vault/api-docs/auth/app-id) for more -details. diff --git a/website/content/docs/commands/license/index.mdx b/website/content/docs/commands/license/index.mdx index 2567c9ce0b53..4ebe8c193b44 100644 --- a/website/content/docs/commands/license/index.mdx +++ b/website/content/docs/commands/license/index.mdx @@ -26,14 +26,7 @@ performance_standby_count 9999 start_time 2021-05-17T00:00:00Z ``` -Query signed license string (only when using a deprecated stored license) - -```shell-session -$ vault license get -signed -02MV4UU43BK5H... -``` - -Inspect a signed a license string: +Inspect a license string: ```shell-session $ vault license inspect ~/vaults/license diff --git a/website/data/api-docs-nav-data.json b/website/data/api-docs-nav-data.json index a34798af797b..f8291e262ef1 100644 --- a/website/data/api-docs-nav-data.json +++ b/website/data/api-docs-nav-data.json @@ -366,15 +366,6 @@ { "title": "Username & Password", "path": "auth/userpass" - }, - { - "title": "App ID", - "badge": { - "text": "DEPRECATED", - "type": "outlined", - "color": "neutral" - }, - "path": "auth/app-id" } ] }, diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 3e23c86733a4..ea56798e8059 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -1535,15 +1535,6 @@ }, { "divider": true - }, - { - "title": "App ID", - "badge": { - "text": "DEPRECATED", - "type": "outlined", - "color": "neutral" - }, - "path": "auth/app-id" } ] },