Check out a service account

The LDAP secrets plugin lets clients check out service accounts from a previously configured LDAP library.

Assumptions

You have set up an ldap plugin.
You have created an LDAP account library.

Use vault write with the -f flag and {mount_path}/library/{set_name}/check-out path to request a service account:

$ vault write -f <mount_path>/library/<set_name>/checkout

For example:

$ vault write -f devcreds/library/accounting-team/checkout

Key                     Value
---                     -----
lease_id                devcreds/library/accounting-team/check-out/EpuS8cX7uEsDzOwW9kkKOyGW
lease_duration          10h
lease_renewable         true
password                ?@09AZKh03hBORZPJcTDgLfntlHqxLy29tcQjPVThzuwWAx/Twx4a2ZcRQRqrZ1w
service_account_name    fizz@example.com

Tip

If the default checkout time is longer than you need, omit the -f flag and provide an explict ttl value so Vault can reclaim the account sooner if it becomes abandoned for some reason.

Use vault write with the service account name and {mount_path}/library/{set_name}/check-out path to request a service account:

$ vault write <mount_path>/library/<set_name>/check-in \
  service_account_names=[<account_list>]

For example:

$ vault write -f devcreds/library/accounting-team/check-in \
  service_account_names=["fizz@example.com"]

Tip

If the caller only has one account checked out, you can omit the account list and use the -f flag to call the endpoint without explicit parameters.

Make a POST call to {mount_path}/library/{set_name}/check-in with the service account name to return the service account:

$ curl                                                     \
  --request POST                                           \
  --header    "X-Vault-Token: ${VAULT_TOKEN}"              \
  --namespace "X-Vault-Namespace: ${VAULT_NAMESPACE}"      \
  --data '{"service_account_names": [<account_list>]}'     \
  ${VAULT_ADDR}/v1/<mount_path>/library/<set_name>/check-in

For example:

$ curl                                                     \
  --request POST                                           \
  --header    "X-Vault-Token: ${VAULT_TOKEN}"              \
  --namespace "X-Vault-Namespace: ${VAULT_NAMESPACE}"      \
  --data '{"service_account_names": ["fizz@example.com"]}' \
  ${VAULT_ADDR}/v1/devcreds/library/accounting-team/check-in

Tip

If the default checkout time is longer than you need, provide an explict ttl value so Vault can reclaim the account sooner if it becomes abandoned for some reason.

Make a POST call to {mount_path}/library/{set_name}/check-out to request a service account:

$ curl                                                \
  --request POST                                      \
  --header    "X-Vault-Token: ${VAULT_TOKEN}"         \
  --namespace "X-Vault-Namespace: ${VAULT_NAMESPACE}" \
  ${VAULT_ADDR}/v1/<mount_path>/library/<set_name>/checkout

For example:

$ curl                                                \
  --request POST                                      \
  --header    "X-Vault-Token: ${VAULT_TOKEN}"         \
  --namespace "X-Vault-Namespace: ${VAULT_NAMESPACE}" \
  ${VAULT_ADDR}/v1/devcreds/library/accounting-team/checkout

Tip

If the caller only has one account checked out, you can omit the account list and make an empty POST call to the endpoint.