Skip to content

Non-Interactive Login

This documentation serves as a guide on how to setup non-interactive logins for use in situations such as automation, scripting and DR scenarios.

How CLI Authentication Works

The vor login command lets users sign in through a configured auth method in Vault such as Azure OIDC or LDAP. Once authenticated, a token is issued that can be used to retrieve an identity token from Vault. This Vault-issued identity token is what is used for authentication across VOR Stream services.

In this guide, we’re setting up a service user that works the same way. To do that, we’ll create a userpass auth method in Vault and use the service user's token to run scripts and other automated tasks without needing any manual input of the user's own credentials.

For more information on VOR Stream's authentication architecture, see Authentication.

Setting Up Non-Interactive Login

Prerequisites

The following steps assume you have access to the Vault instance and have the necessary permissions to change the Vault instance's configuration.

  1. Log in into vault.

    Tip

    The Vault login step below assumes the default path for the Vault rootToken. If your installation uses a different location, please update the reference to point to where your rootToken is stored.

    vault login "$(sudo cat /opt/vor/vault/data/rootToken)"

  2. Create the userpass auth method.

    vault auth enable userpass
vault policy write vor-identity-userpass - <<EOF
    path "identity/oidc/token/vor-userpass" {
    capabilities = ["read"]
    }
EOF

  3. Create the user.

    Tip

    You are encouraged to modify the default password below to something more suitable.

    vault write auth/userpass/users/vrisk \
    password=Admin123 \
    policies=vor-identity-userpass

  4. Allow the userpass auth method to have access to Vault and generate identity tokens.

    CLIENT_ID=$(vault read -field=client_id identity/oidc/client/vor)

ACCESSOR=$(vault auth list -format=json | jq -r '."userpass/".accessor')
JWT_TEMPLATE=$(echo -n "{\"username\": {{identity.entity.aliases.$ACCESSOR.name}}, \"groups\": \"VOR Super Users\"}" | base64 -w0)

vault write identity/oidc/role/vor-userpass key=vor ttl=12h template="$JWT_TEMPLATE" client_id="$CLIENT_ID"

  5. Log in with the new user and execute scripts.

    vault login -method=userpass username=vrisk password=Admin123

# Run whatever script or automation you need here

Non-Interactive Login Cleanup

After the non-interactive login, disable the userpass auth method and remove the associated roles and policies.

vault auth disable userpass
vault delete identity/oidc/role/vor-userpass
vault policy delete vor-identity-userpass