Authentication from the Content Software for File system to Vault relies on an API token. Since the Content Software for File system must always be able to communicate with the KMS, a periodic service token must be used. To obtain the token, follow the next steps:
- Verify that the token authentication method in Vault is enabled. This can be performed using the following command:
$ vault auth list Path Type Description ---- ---- ----------- token/ token token based credentials
- To enable the token authentication method use the following command:
$ vault auth enable token
- Log into the KMS system using any of the identity methods supported by Vault. The identity should have permission to use the previously-set master key.
- Create a token role for the identity using the following command:
$ vault write auth/token/roles/weka allowed_policies="weka" period="768h"
Note: he period is the time set for a renewal request. If no renewal is requested during this time period, the token will be revoked and a new token must be retrieved from Vault and set in the Content Software for File system. - Generate a token for the logged-in identity using the following command:
$ vault token create -role=weka Key Value --- ----- token s.nRucA9Gtb3yNVmLUK221234 token_accessor 4Nm9BvIVS4HWCgLATc3r1234 token_duration 768h token_renewable true token_policies ["default"] identity_policies [] policies ["default"]
For more information on obtaining an API token, see Vault Tokens documentation.
Note: The Content Software for File system does not automatically renew the API token lease. It can be renewed using the Vault CLI/API. It is also possible to define a higher maximum token value (max_lease_ttl) by changing the Vault Configuration file.