Auth methods are the components in Vault that perform authentication and are responsible for assigning identity and a set of policies to a user. In all cases, Vault will enforce authentication as part of the request processing. In most cases, Vault will delegate the authentication administration and decision to the relevant configured external auth method (e.g., Amazon Web Services, GitHub, Google Cloud Platform, Kubernetes, Microsoft Azure, Okta ...).
Having multiple auth methods enables you to use an auth method that makes the most sense for your use case of Vault and your organization.
To learn more about authentication, see the authentication concepts page.
Auth methods can be enabled/disabled using the CLI or the API.
$ vault auth enable userpass
When enabled, auth methods are similar to secrets engines:
they are mounted within the Vault mount table and can be accessed
and configured using the standard read/write API. All auth methods are mounted underneath the
By default, auth methods are mounted to
auth/<type>. For example, if you
enable "github", then you can interact with it at
auth/github. However, this
path is customizable, allowing users with advanced use cases to mount a single
auth method multiple times.
$ vault auth enable -path=my-login userpass
When an auth method is disabled, all users authenticated via that method are automatically logged out.
When using an external auth method (e.g., GitHub), Vault will call the external service at the time of authentication and for subsequent token renewals. If the status of an entity changes in the external system (e.g., an account expires or is disabled), Vault denies requests to renew tokens associated with the entity. However, any existing token remain valid for the original grant period unless they are explicitly revoked within Vault. Operators should set appropriate token TTLs when using external authN methods.