This repo contains examples for how to setup MFA in Vault for both LDAP Authentication and path-based CRUD Operations using TOTP and the Microsoft Authenticator App.
Note: The below workflows will only work when interacting with Vault via the CLI/API, not the UI.
MFA can be enforced against specific paths within Vault, and may even be applied to specific CRUD Operations against them. To enable this workflow using the Microsft Authenticator App, Vault's TOTP MFA feature can be used to verify totp
values generated by the Microsoft Authenticator App and passed to Vault when performing operations. An example of the setup for this workflow can be found here. As an example, a request meeting the MFA requirement might look like:
vault kv get -mfa=my_totp:123456 secret_new/${SECRET_KEY}
LDAP Auth MFA can be enforced by creating a Sentinel Endpoint Governing Policy (EGP) using this example code. Once enabled, users authenticating via LDAP will be expected to pass the -mfa
flag in their authentication requests and must include the totp
generated by their Microsoft Authenticator App. For example, an expected call might look like:
vault login -mfa=my_totp:123456 -method=ldap username=testuser password=${USER_PASSWORD}
To set up Microsoft Authenticator App code generation for this purpose, you may follow the same steps outlined here.