HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

Create static LDAP roles

Configure static roles to map names in Vault to LDAP entries and use the rotation settings to manage credentials automatically with the role.

Assumptions

  • You have set up an ldap plugin.
  • You have permission to update roles in Vault.
  • You have permission to make POST calls to the ldap plugin.

  1. Create a configuration file, ldap-role.json with your role settings:

    {
  "role_name":       "<vault_role_name>",
  "username":        "<existing_ldap_username>",
  "dn":              "<existing_ldap_dn>",
  "rotation_period": "<credential_rotation_frequency>"
}

    For example:

    {
  "role_name":       "hashicorp",
  "username":        "vault",
  "dn":              "uid=vault,ou=users,dc=hashicorp,dc=com",
  "rotation_period": "24h"
}

  2. Save the new role.

    Use vault write with the /{mount_path}/static-role path and your static role configuration, ldap-role.json, to create a new static role:

    $ vault write <mount_path>/static-role @ldap-role.json

    For example:

    $ vault write devcreds/static-role @ldap-role.json

  3. Confirm the role settings by requesting credentials from the plugin:

    Use vault read with the /{mount_path}/static-cred/{role_name} path to fetch the credential information for the given role:

    $ vault read <mount_path>/static-role/<role_name>

    For example:

    $ vault read devcreds/static-role/hashicorp
Edit this page on GitHub