Module auth_mounts 

Auth mount enumeration and listing.

This command queries the Vault API to enumerate all authentication mounts and their configuration, with optional depth-based traversal to discover roles, users, and other configurations within each auth method.

Features

• Automatic Discovery: Discovers all auth mounts without needing to know mount names
• Multi-Type Support: Handles kubernetes, approle, userpass, jwt/oidc, ldap, and token auth
• Role Enumeration: Lists roles, users, and groups within each auth mount (when depth > 0)
• Multiple Output Formats: CSV (flattened with depth), JSON (nested structure), or stdout (visual tree)

Usage Examples

# List all auth mounts with role enumeration (default)
vault-audit auth-mounts --format stdout

# List only the auth mounts themselves (no roles)
vault-audit auth-mounts --depth 0 --format csv

# List mounts with roles in JSON format
vault-audit auth-mounts --format json --output auth-inventory.json

Supported Auth Types

• kubernetes: Lists roles configured for K8s service accounts
• approle: Lists AppRole roles for application authentication
• userpass: Lists configured users
• jwt/oidc: Lists JWT/OIDC roles
• ldap: Lists LDAP users and groups (prefixed with user:/group:)
• token: No enumerable configuration

Output Formats

• CSV: Flattened format with mount info repeated for each role (depth column: 0=mount, 1=role)
• JSON: Nested structure with roles array within each mount object
• stdout: Visual tree with mount details and indented role list (├──, └──)

Depth Parameter

• --depth 0: Show only mount points (no role enumeration)
• --depth 1 or higher: Include roles/users within each mount
• No flag: Unlimited depth (enumerates all roles/users)

API Endpoints Used

• /v1/sys/auth - Discover all auth mounts
• /v1/auth/{mount}/role - List roles (kubernetes, approle, jwt/oidc)
• /v1/auth/{mount}/users - List users (userpass, ldap)
• /v1/auth/{mount}/groups - List groups (ldap)

Functions

run

Run the auth mount enumeration command