User TOTP Auth Method for Vault
vault-plugin-auth-usertotp
is an auth method plugin for HashiCorp Vault. Create user accounts, add TOTP tokens (user supplied pin + totp), and have peace of mind using 2FA.
This plugin is also a drop-in replacement for the native userpass
auth method, so stop using that and use this instead!
Install
Assuming you have an already running/configured Vault instance:
- Add
plugin_directory = "
to your vault config" - Download the plugin from the releases page to the folder above
- Register the plugin in vault:
vault plugin register -sha256=$(sha256sum
| cut -d\ -f 1)) - Enable the plugin in vault:
vault auth enable -path=userpass
Use
After installing the plugin:
Create Users
vault write auth/userpass/users/
token_policies=" "
Create User TOTP Tokens
vault write auth/userpass/users/
/totp name= pin= - The command will return a
totp_secret
value, this is the value you should add to your Google Authenticator. Alternatively, you can generate a QR code:qrencode -t ANSI256 -o - $(echo otpauth://totp/Vault%20(
)?secret= &issuer=Vault)
Delete Users
vault delete auth/userpass/users/
Delete User TOTP Tokens
vault delete auth/userpass/users/
/totpname=
List Users
vault list auth/userpass/users
Read User (including TOTP Token names)
vault read auth/userpass/users/
- Any TOTP tokens for the user will be listed under totp_token_names.
Build
Run make build