From 021dc3ec9a04d9c0595d86e191b397584e926128 Mon Sep 17 00:00:00 2001 From: Tomoya Usami Date: Sun, 21 Jun 2020 03:06:18 +0900 Subject: [PATCH] Update the "vault" plugin document. (#1665) Signed-off-by: Tomoya Usami --- doc/plugin_server_upstreamauthority_vault.md | 26 +++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/doc/plugin_server_upstreamauthority_vault.md b/doc/plugin_server_upstreamauthority_vault.md index 5947bed81a..2c248272c7 100644 --- a/doc/plugin_server_upstreamauthority_vault.md +++ b/doc/plugin_server_upstreamauthority_vault.md @@ -23,6 +23,14 @@ The plugin supports **Client Certificate**, **Token** and **AppRole** authentica - **Token** method authenticates to Vault using the token in a HTTP Request header. - **AppRole** method authenticates to Vault using a RoleID and SecretID that are issued from Vault. +The configured token needs to be attached to a policy that has at least the following capabilities: + +```hcl +path "pki/root/sign-intermediate" { + capabilities = ["update"] +} +``` + ## Client Certificate Authentication | key | type | required | description | default | @@ -42,6 +50,13 @@ The plugin supports **Client Certificate**, **Token** and **AppRole** authentica client_cert_path = "/path/to/client-cert.pem" client_key_path = "/path/to/client-key.pem" } + // If specify the key-pair as an environment variable and use the modified mount point + // cert_auth { + // cert_auth_mount_point = "test-tls-cert-auth" + // } + + // If specify the key-pair as an environment variable and use the default mount point, set the empty structure. + // cert_auth {} } } ``` @@ -59,8 +74,10 @@ The plugin supports **Client Certificate**, **Token** and **AppRole** authentica pki_mount_point = "test-pki" ca_cert_path = "/path/to/ca-cert.pem" token_auth { - token = "" // or specified by environment variables + token = "" } + // If specify the token as an environment variable, set the empty structure. + // token_auth {} } } ``` @@ -83,6 +100,13 @@ The plugin supports **Client Certificate**, **Token** and **AppRole** authentica approle_id = "" // or specified by environment variables approle_secret_id = "" // or specified by environment variables } + // If specify the approle_id and approle_secret as an environment variable and use the modified mount point + // approle_auth { + // approle_auth_mount_point = "my-approle-auth" + // } + + // If specify the approle_id and approle_secret as an environment variable and use the default mount point, set the empty structure. + // approle_auth {} } } ```