Authentication methods using the vault API package

I am trying to use the Vault Golang Package to authenticate using the API.

I created a new client, and then can set my token:

client, err := api.NewClient(&api.Config{Address: vaultAddr, HttpClient: httpClient})

 if err != nil {
   return nil, errors.Wrap(err, "could not create vault client")
 }

client.SetToken(token)

That's great and all, but I want to auth against the API using one of the other auth methods, (LDAP, Userpass etc)

Is this even possible? How can I retrieve a token using the API?

I guess I could just use net/http to retrieve the token using an API call, but is there any method to actually auth in another way?

I managed to figure this out, eventually. It's not totally obvious, but makes sense.

Vault has a generic write method it uses to write data. You can utilise this to perform a login with the API by simply building the URL and sending a PUT request to that endpoint

It looks a bit like this:

// create a vault client
client, err := api.NewClient(&api.Config{Address: url, HttpClient: httpClient})
if err != nil {
	panic(err)
}

// to pass the password
options := map[string]interface{}{
   "password": password,    	
}

// the login path
// this is configurable, change userpass to ldap etc
path := fmt.Sprintf("auth/userpass/login/%s", username)

// PUT call to get a token
secret, err := client.Logical().Write(path, options)

Without having enough reputation adding an extra hint here instead of a comment to the accepted answer. The token can be extracted from the auth response something like this:

client.SetToken(secret.Auth.ClientToken)

The relevant interfaces are documented here:

https://godoc.org/github.com/hashicorp/vault/api#Secret

https://godoc.org/github.com/hashicorp/vault/api#SecretAuth

I wrote a GitHub gist that contains a function to authenticate your Go program using an AWS IAM role. Here's a link.

Note: authenticating to Vault only gets you a token. The token may later be used to read secrets, if the AWS IAM role allows.

You'll need to create an AWS STS request, extract some information from it, then send it to Vault instead.

Here's the function from the GitHub gist. It will consume an AWS IAM role and some Vault environment variables such as VAULT_ADDR. Here's some other environment variables that the Vault Golang library may read. It produces an authenticated Vault *api.Client, token, and response from the authentication request.

It's based off of this GitHub project.

package vault

import (
	"encoding/base64"
	"encoding/json"
	"fmt"
	"io/ioutil"

	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/sts"
	"github.com/hashicorp/vault/api"
)

// AWSLogin will create a Vault client, login via an AWS role, and return a valid Vault token and client that can be
// used to get secrets.
// The authProvider is likely "aws". It's the "Path" column as described in these docs:
// https://www.vaultproject.io/api/auth/aws#login.
// The serverID is an optional value to be placed in the X-Vault-AWS-IAM-Server-ID header of the HTTP request.
// The role is an AWS IAM role. It needs to be able to read secrets from Vault.
func AWSLogin(authProvider, serverID, role string) (client *api.Client, token string, secret *api.Secret, err error) {

	// Create the Vault client.
	//
	// Configuration is gathered from environment variables by upstream vault package. Environment variables like
	// VAULT_ADDR and VAULT_SKIP_VERIFY are relevant. The VAULT_TOKEN environment variable shouldn't be needed.
	// https://www.vaultproject.io/docs/commands#environment-variables
	if client, err = api.NewClient(nil); err != nil {
		return nil, "", nil, fmt.Errorf("failed to create Vault client: %w", err)
	}

	// Acquire an AWS session.
	var sess *session.Session
	if sess, err = session.NewSession(); err != nil {
		return nil, "", nil, fmt.Errorf("failed to create AWS session: %w", err)
	}

	// Create a Go structure to talk to the AWS token service.
	tokenService := sts.New(sess)

	// Create a request to the token service that will ask for the current host's identity.
	request, _ := tokenService.GetCallerIdentityRequest(&sts.GetCallerIdentityInput{})

	// Add an server ID IAM header, if present.
	if serverID != "" {
		request.HTTPRequest.Header.Add("X-Vault-AWS-IAM-Server-ID", serverID)
	}

	// Sign the request to the AWS token service.
	if err = request.Sign(); err != nil {
		return nil, "", nil, fmt.Errorf("failed to sign AWS identity request: %w", err)
	}

	// JSON marshal the headers.
	var headers []byte
	if headers, err = json.Marshal(request.HTTPRequest.Header); err != nil {
		return nil, "", nil, fmt.Errorf("failed to JSON marshal HTTP headers for AWS identity request: %w", err)
	}

	// Read the body of the request.
	var body []byte
	if body, err = ioutil.ReadAll(request.HTTPRequest.Body); err != nil {
		return nil, "", nil, fmt.Errorf("failed to JSON marshal HTTP body for AWS identity request: %w", err)
	}

	// Create the data to write to Vault.
	data := make(map[string]interface{})
	data["iam_http_request_method"] = request.HTTPRequest.Method
	data["iam_request_url"] = base64.StdEncoding.EncodeToString([]byte(request.HTTPRequest.URL.String()))
	data["iam_request_headers"] = base64.StdEncoding.EncodeToString(headers)
	data["iam_request_body"] = base64.StdEncoding.EncodeToString(body)
	data["role"] = role

	// Create the path to write to for Vault.
	//
	// The authProvider is the value referenced in the "Path" column in this documentation. It's likely "aws".
	// https://www.vaultproject.io/api/auth/aws#login
	path := fmt.Sprintf("auth/%s/login", authProvider)

	// Write the AWS token service request to Vault.
	if secret, err = client.Logical().Write(path, data); err != nil {
		return nil, "", nil, fmt.Errorf("failed to write data to Vault to get token: %w", err)
	}
	if secret == nil {
		return nil, "", nil, fmt.Errorf("failed to get token from Vault: %w", ErrSecret)
	}

	// Get the Vault token from the response.
	if token, err = secret.TokenID(); err != nil {
		return nil, "", nil, fmt.Errorf("failed to get token from Vault response: %w", err)
	}

	// Set the token for the client as the one it just received.
	client.SetToken(token)

	return client, token, secret, nil
}

There's a standard AuthMethod interface in api package.

type AuthMethod interface {
Login(ctx context.Context, client *Client) (*Secret, error)
}

One may implement this interface with any login method. Here's an example of basic username/password login

type CredentialsAuthMethod struct {
username string
password string
}
func (m *CredentialsAuthMethod) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
options := map[string]any{
"password": m.password,
}
path := fmt.Sprintf("auth/userpass/login/%s", m.username)
secret, err := client.Logical().WriteWithContext(ctx, path, options)
if err != nil {
return nil, errorx.EnhanceStackTrace(err, "failed to authorize in vault with credentials")
}
return secret, nil
}

Once new AuthMethod implemented, it can be used to get a token for the client:

	client, err := api.NewClient(&api.Config{Address: "https://vault.local"})
if err != nil {
return nil, errorx.EnhanceStackTrace(err, "failed to initialize vault client")
}
secret, err := client.Auth().Login(context.Background(), &CredentialsAuthMethod{
username: c.username,
password: c.password,
})
if err != nil {
return nil, errorx.EnhanceStackTrace(err, "failed to login in vault")
}
token := secret.Auth.ClientToken
client.SetToken(token)