1--- 2layout: "intro" 3page_title: "Authentication" 4sidebar_current: "gettingstarted-auth" 5description: |- 6 Authentication to Vault gives a user access to use Vault. Vault can authenticate using multiple methods. 7--- 8 9# Authentication 10 11Now that we know how to use the basics of Vault, it is important to understand 12how to authenticate to Vault itself. Up to this point, we haven't had to 13authenticate because starting the Vault server in dev mode automatically logs 14us in as root. In practice, you'll almost always have to manually authenticate. 15 16On this page, we'll talk specifically about _authentication_. On the next 17page, we talk about _authorization_. 18Authentication is the mechanism of assigning an identity to a Vault user. 19The access control and permissions associated with an identity are 20authorization, and will not be covered on this page. 21 22Vault has pluggable authentication backends, making it easy to authenticate 23with Vault using whatever form works best for your organization. On this page 24we'll use the token backend as well as the GitHub backend. 25 26## Tokens 27 28We'll first explain token authentication before going over any other 29authentication backends. Token authentication is enabled by default in 30Vault and cannot be disabled. It is also what we've been using up to this 31point. 32 33When you start a dev server with `vault server -dev`, it outputs your 34_root token_. The root token is the initial access token to configure Vault. 35It has root privileges, so it can perform any operation within Vault. 36We'll cover how to limit privileges in the next section. 37 38You can create more tokens using `vault token-create`: 39 40``` 41$ vault token-create 42Key Value 43token c2c2fbd5-2893-b385-6fa5-30050439f698 44token_accessor 0c1c3317-3d58-17e5-c1a9-3f54fa26610e 45token_duration 0 46token_renewable true 47token_policies [root] 48``` 49 50By default, this will create a child token of your current token that 51inherits all the same access control policies. The "child" concept here 52is important: tokens always have a parent, and when that parent token is 53revoked, children can also be revoked all in one operation. This makes it 54easy when removing access for a user, to remove access for all sub-tokens 55that user created as well. 56 57After a token is created, you can revoke it with `vault token-revoke`: 58 59``` 60$ vault token-revoke c2c2fbd5-2893-b385-6fa5-30050439f698 61Success! Token revoked if it existed. 62``` 63 64In a previous section, we use the `vault revoke` command. This command 65is only used for revoking _secrets_. For revoking _tokens_, the 66`vault token-revoke` command must be used. 67 68To authenticate with a token, use the `vault auth` command: 69 70``` 71$ vault auth d08e2bd5-ffb0-440d-6486-b8f650ec8c0c 72Successfully authenticated! The policies that are associated 73with this token are listed below: 74 75root 76``` 77 78This authenticates with Vault. It will verify your token and let you know 79what access policies the token is associated with. If you want to test 80`vault auth`, make sure you create a new token first. 81 82## Auth Backends 83 84In addition to tokens, other authentication backends can be enabled. 85Authentication backends enable alternate methods of identifying with Vault. 86These identities are tied back to a set of access policies, just like tokens. 87 88Vault supports other authentication backends in order to make authentication 89easiest for your environment. For example, for desktop environments, 90private key or GitHub based authentication may be easiest. For server 91environments, some shared secret may be best. Auth backends give you 92flexibility to choose what authentication you want to use. 93 94As an example, let's authenticate using GitHub. First, enable the 95GitHub authentication backend: 96 97``` 98$ vault auth-enable github 99Successfully enabled 'github' at 'github'! 100``` 101 102Auth backends are mounted, just like secret backends, except auth 103backends are always prefixed with `auth/`. So the GitHub backend we just 104mounted can be accessed at `auth/github`. You can use `vault path-help` to 105learn more about it. 106 107With the backend enabled, we first have to configure it. For GitHub, 108we tell it what organization users must be a part of, and map a team to a policy: 109 110``` 111$ vault write auth/github/config organization=hashicorp 112Success! Data written to: auth/github/config 113 114$ vault write auth/github/map/teams/default value=root 115Success! Data written to: auth/github/map/teams/default 116``` 117 118The above configured our GitHub backend to only accept users from the 119"hashicorp" organization (you should fill in your own organization) 120and to map any team to the "root" policy, which is the only policy we have 121right now until the next section. 122 123With GitHub enabled, we can authenticate using `vault auth`: 124 125``` 126$ vault auth -method=github token=e6919b17dd654f2b64e67b6369d61cddc0bcc7d5 127Successfully authenticated! The policies that are associated 128with this token are listed below: 129 130root 131``` 132 133Success! We've authenticated using GitHub. The "root" policy was associated 134with my identity since we mapped that earlier. The value for "token" should be your own 135[personal access token](https://help.github.com/articles/creating-an-access-token-for-command-line-use/). 136 137You can revoke authentication from any authentication backend using 138`vault token-revoke` as well, which can revoke any path prefix. For 139example, to revoke all GitHub tokens, you could run the following. 140**Don't run this unless you have access to another root token or you'll 141get locked out.** 142 143``` 144$ vault token-revoke -mode=path auth/github 145``` 146 147When you're done, you can disable authentication backends with 148`vault auth-disable`. This will immediately invalidate all authenticated 149users from this backend. 150 151``` 152$ vault auth-disable github 153Disabled auth provider at path 'github'! 154``` 155 156If you ran the above, you'll probably find you can't access your Vault 157anymore unless you have another root token, since it invalidated your 158own session since we authenticated with GitHub above. Since we're still 159operating in development mode, just restart the dev server to fix this. 160 161## Next 162 163In this page you learned about how Vault authenticates users. You learned 164about the built-in token system as well as enabling other authentication 165backends. At this point you know how Vault assigns an _identity_ to 166a user. 167 168The multiple authentication backends Vault provides let you choose the 169most appropriate authentication mechanism for your organization. 170 171In this next section, we'll learn about 172[access control policies](/intro/getting-started/acl.html). 173