Stop using the root token. Enable real auth methods — userpass for humans, AppRole for machines — so every identity logs in and receives a scoped, expiring token.
Why: nobody should use the root token day to day. An auth method verifies an identity (a username, a machine role, a cloud instance, an OIDC login) and, on success, hands back a token carrying the policies mapped to that identity. Different methods suit humans vs machines, but all end the same way: you get a scoped, expiring token.
identity ──▶ auth method ──▶ Vault verifies ──▶ token (with policies, TTL)
human ─ userpass / OIDC / LDAP
machine ─ AppRole / Kubernetes / cloud IAM
(the token is the result; auth methods are just how you obtain one)Why: userpass is the simplest human login — a username and password mapped to policies. Enable the method, create a user bound to a policy, then log in. Real teams usually wire Vault to OIDC/LDAP instead, but userpass shows the pattern with no external system.
Enable the userpass auth method
vault auth enable userpassCreate a user that gets the app-read policy on login
vault write auth/userpass/users/alice \
password=changeme policies=app-readLog in as that user
vault login -method=userpass username=aliceWhy: an application cannot type a password. AppRole gives a machine identity two parts — a role_id (like a username, not secret) and a secret_id (like a password, short-lived) — which it exchanges for a token. It is the standard way apps and CI authenticate to Vault without a human in the loop.
role_id (stable, baked into the app config) ┐
├──▶ exchange for a token
secret_id (short-lived, delivered separately) ┘
(split so neither half alone is enough — defense in depth)Why: enable AppRole, define a role bound to a policy, then read its role_id and generate a secret_id. The app sends both to the login endpoint and gets back a scoped token. The token TTL means a leaked credential expires on its own — far safer than a static API key.
vault auth enable approleCreate a role bound to a policy, with a short token TTL
vault write auth/approle/role/myapp \
token_policies=app-read token_ttl=1hFetch the two halves
vault read auth/approle/role/myapp/role-idvault write -f auth/approle/role/myapp/secret-idThe app exchanges them for a token
vault write auth/approle/login \
role_id=<role_id> secret_id=<secret_id>Why: tokens are short-lived on purpose. A token can be renewed until its max TTL, after which the identity must authenticate again. revoke kills a token immediately — your kill switch when something leaks. Short TTLs plus revocation are why Vault tokens beat long-lived static secrets.
Extend a renewable token's life
vault token renewImmediately revoke a token (and its children)
vault token revoke <token>