Last Updated on June 19, 2025 by Arnav Sharma
Before you can ask Vault for a secret, you have to prove who you are. Thatโs what authentication methods are all about.
In myย first postย in this series, I talked about what Vault is and how it manages secrets. Now, letโs go a level deeper and explore how developers, applications, and cloud platforms authenticate with Vault in the first place.
Vault doesnโt use traditional usernames and passwords. Instead, it supports flexible authentication methods that fit different environments like Azure, GitHub, CI/CD pipelines, or container workloads.
In this post, weโll break down four commonly used methods, explain when to use each, and walk through real-world examples.
1. Azure Authentication:
If you’re running applications on Azure VMs, App Services, or AKS, the Azure authentication method lets those workloads securely log in to Vault using their Managed Identity.
No secrets, passwords, or hardcoded tokens โ Vault verifies the identity using Azureโs metadata service and allows access based on rules you define.
Common Use Case:
You have a virtual machine that needs to pull database credentials or API keys from Vault. Rather than store Vault tokens on the VM, you configure it to authenticate using its Azure identity.
How to Set It Up:
Step 1: Enable the Azure auth method in Vault
vault auth enable azure
Step 2: Configure Azure integration
vault write auth/azure/config \
tenant_id="YOUR_TENANT_ID" \
resource="https://management.azure.com/"
Step 3: Create a role
vault write auth/azure/role/app-role \
policies="app-read-secrets" \
bound_subscription_ids="SUBSCRIPTION_ID" \
bound_resource_groups="dev-resources"
When the Azure VM calls Vault, it presents a signed token from Azure. Vault validates it and maps it to the app-read-secrets policy.
Why It’s Useful:
- No tokens or static credentials
- Scales well in dynamic cloud environments
- Aligns with Azure RBAC and identity best practices
2. GitHub Authentication: Easy Access for Developer Teams
This method lets individual developers authenticate using their GitHub account โ great for local dev environments or early-stage teams.
If you’re part of a GitHub org, Vault can map your team to specific policies, allowing access based on group membership.
Example Scenario:
Your platform team wants to grant developers access to read staging secrets. Instead of managing accounts, you link Vault to your GitHub org and assign policies to specific GitHub teams.
How to Set It Up:
Step 1: Enable GitHub auth
vault auth enable github
Step 2: Configure the GitHub organization
vault write auth/github/config organization="your-org-name"
Step 3: Map a GitHub team to a policy
vault write auth/github/map/teams/devs value="read-staging"
Now, when a team member logs in with their GitHub token, Vault checks whether theyโre in the devs team and assigns the read-staging policy.
Why It’s Useful:
- No infrastructure changes needed
- Easy for teams already using GitHub for collaboration
- Simplifies CLI-based development workflows
3. JWT / OIDC Authentication: For Cloud-Native and CI/CD Systems
The JWT (or OIDC) method is best for automated workflows and modern cloud environments. It allows authentication using identity tokens from a trusted provider โ like Azure AD, Google, GitHub Actions, or Kubernetes.
You define rules that match the tokenโs claims (like email, audience, or subject) to Vault roles and policies.
Example Scenario:
A GitHub Actions workflow deploys an app to Azure and needs to fetch a secret from Vault. Rather than hardcoding anything, the workflow presents a signed JWT from GitHub, and Vault validates it.
How to Set It Up:
Step 1: Enable JWT auth
vault auth enable jwt
Step 2: Configure the identity provider
vault write auth/jwt/config \
oidc_discovery_url="https://token.actions.githubusercontent.com" \
bound_issuer="https://token.actions.githubusercontent.com"
Step 3: Create a role
vault write auth/jwt/role/deploy-workflow \
role_type="jwt" \
user_claim="repository" \
bound_claims='{"repository": "yourorg/yourrepo"}' \
policies="deploy-policy"
Now, only workflows from the specified repo can authenticate and receive a Vault token scoped to deploy-policy.
Why It’s Useful:
- Secure, short-lived credentials
- Excellent for CI/CD, GitHub Actions, Kubernetes
- Fine-grained control via token claims
4. AppRole: Secure Access for Automation and Services
AppRole is a programmatic login method where an application or script authenticates using a role_id and secret_id.
This method doesnโt rely on cloud identity or OAuth providers, making it ideal for non-interactive access, like scheduled jobs or internal tooling.
Example Scenario:
A build pipeline in Jenkins or Azure DevOps needs to fetch credentials to deploy infrastructure. AppRole gives the pipeline secure, time-bound access without exposing long-lived secrets.
How to Set It Up:
Step 1: Enable AppRole
vault auth enable approle
Step 2: Define a role
vault write auth/approle/role/ci-role \
secret_id_ttl=1h \
token_ttl=20m \
token_max_ttl=1h \
policies="ci-access"
Step 3: Fetch the Role ID and Secret ID
vault read auth/approle/role/ci-role/role-id
vault write -f auth/approle/role/ci-role/secret-id
Step 4: Log in using the AppRole
vault write auth/approle/login \
role_id="..." \
secret_id="..."
This returns a Vault token scoped to the policy defined in the role.
Why It’s Useful:
- Works in offline/air-gapped or legacy environments
- Easy to script and rotate
- Doesnโt depend on third-party identity providers
Choosing the Right Authentication Method
Hereโs a simple guide to help you choose the right method for your use case:
| Authentication Method | Best For | Key Advantage |
|---|---|---|
| Azure | Azure VMs, functions, AKS | Uses Managed Identity for seamless auth |
| GitHub | Developers, CLI access | Quick setup with GitHub org/team mapping |
| JWT / OIDC | CI/CD, Kubernetes, federated identity | Secure, token-based, integrates with IdPs |
| AppRole | Automation, scheduled jobs, pipelines | Simple, programmatic, highly scriptable |
Final Thoughts
HashiCorp Vault gives you powerful options for controlling who can access your secrets โ but choosing the right authentication method makes all the difference in usability and security.
Start simple. For cloud workloads, use Azure or JWT/OIDC. For pipelines, AppRole is a great choice. And if you’re onboarding developers quickly, GitHub gets you up and running fast.