Skip to content

auth: support cert auth using PIV #31595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

auth: support cert auth using PIV #31595

wants to merge 1 commit into from
+113 −1

Conversation

grahamc
Copy link
Contributor

@grahamc grahamc commented Oct 15, 2025

Description

This PR makes it possible to use a YubiKey or PIV card for vault login or vault agent auto-auth methods.

For example:

$ ~/go/bin/vault login -method cert -client-cert piv/9a -client-key 123456 name=...
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                            Value
---                            -----
token                          ...
token_accessor                 ...
token_duration                 24h
token_renewable                true
token_policies                 ["..."]
identity_policies              []
policies                       ["..."]
token_meta_serial_number       ...
token_meta_subject_key_id      ...
token_meta_authority_key_id    ...
token_meta_cert_name           ...
token_meta_common_name         ...

Or:

vault {
    address = "..."
    retry {
        num_retries = 5
    }
}

auto_auth {
  method "cert" {
    config = {
      client_cert = "piv/9a"
      client_key  = "123456"
      name = "..."
    }
  }

  sink "file" {
    config = {
      path = "/tmp/vault-token"
    }
  }
}

and:

$ ~/go/bin/vault agent -config ./agent.cfg
==> Note: Vault Agent version does not match Vault server version. Vault Agent version: 1.21.0-beta1, Vault server version: 1.16.2
==> Vault Agent started! Log data will stream in below:

==> Vault Agent configuration:

                     Cgo: enabled
               Log Level: 
                 Version: Vault v1.21.0-beta1, built 2025-10-15T08:02:14Z
             Version Sha: f5fbcee6a7577b79c8fa5cd5ccd0a6d1a1b4bba6+CHANGES

2025-10-15T15:17:29.662-0400 [INFO]  agent.sink.file: creating file sink
2025-10-15T15:17:29.662-0400 [INFO]  agent.sink.file: file sink configured: path=/tmp/vault-token mode=-rw-r----- owner=501 group=20
2025-10-15T15:17:29.663-0400 [INFO]  agent.exec.server: starting exec server
2025-10-15T15:17:29.663-0400 [INFO]  agent.exec.server: no env templates or exec config, exiting
2025-10-15T15:17:29.663-0400 [INFO]  agent.sink.server: starting sink server
2025-10-15T15:17:29.663-0400 [INFO]  agent.auth.handler: starting auth handler
2025-10-15T15:17:29.663-0400 [INFO]  agent.template.server: starting template server
2025-10-15T15:17:29.663-0400 [INFO]  agent.template.server: no templates found
2025-10-15T15:17:29.826-0400 [INFO]  agent.auth.handler: authenticating
2025-10-15T15:17:30.094-0400 [INFO]  agent.auth.handler: authentication successful, sending token to sinks
2025-10-15T15:17:30.094-0400 [INFO]  agent.auth.handler: starting renewal process
2025-10-15T15:17:30.095-0400 [INFO]  agent.sink.file: token written: path=/tmp/vault-token
2025-10-15T15:17:30.180-0400 [INFO]  agent.auth.handler: renewed auth token
^C==> Vault Agent shutdown triggered
2025-10-15T15:22:33.065-0400 [INFO]  agent.template.server: template server stopped
2025-10-15T15:22:33.065-0400 [INFO]  agent.auth.handler: shutdown triggered, stopping lifetime watcher
2025-10-15T15:22:33.065-0400 [INFO]  agent.auth.handler: auth handler stopped
2025-10-15T15:22:33.065-0400 [INFO]  agent.sink.server: sink server stopped
2025-10-15T15:22:33.066-0400 [INFO]  agent: sinks finished, exiting
2025-10-15T15:22:33.065-0400 [INFO]  agent.exec.server: exec server stopped

It is obviously not exactly fleshed out or perfect. However, I wanted to make it more visible than a patch in an arbitrary GitHub repository.

TODO only if you're a HashiCorp employee

  • Backport Labels: If this fix needs to be backported, use the appropriate backport/ label that matches the desired release branch.
    • LTS: If this fixes a critical security vulnerability or severity 1 bug, it will also need to be backported to the current LTS versions of Vault. To ensure this, use all available enterprise labels.
  • Jira: If this change has an associated Jira, it's referenced either in the PR description, commit message, or branch name.
  • RFC: If this change has an associated RFC, please link it in the description.

PCI review checklist

  • I have documented a clear reason for, and description of, the change I am making.
  • If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
  • If applicable, I've documented the impact of any changes to security controls.

Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

@grahamc grahamc requested a review from a team as a code owner October 15, 2025 20:23
@grahamc grahamc requested a review from robmonte October 15, 2025 20:23
@grahamc grahamc requested a deployment to community-pull-request October 15, 2025 20:23 — with GitHub Actions Waiting
@vercel Vercel
Copy link

vercel bot commented Oct 15, 2025

@grahamc is attempting to deploy a commit to the HashiCorp Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robmonte robmonte Awaiting requested review from robmonte robmonte is a code owner automatically assigned from hashicorp/vault

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@grahamc