diff --git a/docs/content/datasources.md b/docs/content/datasources.md
index 8531ad378..03a534115 100644
--- a/docs/content/datasources.md
+++ b/docs/content/datasources.md
@@ -666,7 +666,6 @@ This table describes the currently-supported authentication mechanisms and how t
| auth back-end | configuration |
|-------------:|---------------|
| [`approle`](https://www.vaultproject.io/docs/auth/approle.html) | Environment variables `$VAULT_ROLE_ID` and `$VAULT_SECRET_ID` must be set to the appropriate values.
If the back-end is mounted to a different location, set `$VAULT_AUTH_APPROLE_MOUNT`. |
-| [`app-id`](https://www.vaultproject.io/docs/auth/app-id.html) | Environment variables `$VAULT_APP_ID` and `$VAULT_USER_ID` must be set to the appropriate values.
If the back-end is mounted to a different location, set `$VAULT_AUTH_APP_ID_MOUNT`. |
| [`github`](https://www.vaultproject.io/docs/auth/github.html) | Environment variable `$VAULT_AUTH_GITHUB_TOKEN` must be set to an appropriate value.
If the back-end is mounted to a different location, set `$VAULT_AUTH_GITHUB_MOUNT`. |
| [`userpass`](https://www.vaultproject.io/docs/auth/userpass.html) | Environment variables `$VAULT_AUTH_USERNAME` and `$VAULT_AUTH_PASSWORD` must be set to the appropriate values.
If the back-end is mounted to a different location, set `$VAULT_AUTH_USERPASS_MOUNT`. |
| [`token`](https://www.vaultproject.io/docs/auth/token.html) | Determined from either the `$VAULT_TOKEN` environment variable, or read from the file `~/.vault-token` |
diff --git a/internal/tests/integration/datasources_vault_test.go b/internal/tests/integration/datasources_vault_test.go
index c753073ee..ee105b6dc 100644
--- a/internal/tests/integration/datasources_vault_test.go
+++ b/internal/tests/integration/datasources_vault_test.go
@@ -237,58 +237,6 @@ func TestDatasources_Vault_AppRoleAuth(t *testing.T) {
assertSuccess(t, o, e, err, "bar")
}
-func TestDatasources_Vault_AppIDAuth(t *testing.T) {
- // temporarily allow the deprecated pending-removal appID auth method
- // when this starts failing completely, we should remove support
- t.Setenv("VAULT_ALLOW_PENDING_REMOVAL_MOUNTS", "true")
-
- v := setupDatasourcesVaultTest(t)
-
- v.vc.Logical().Write("secret/foo", map[string]interface{}{"value": "bar"})
- defer v.vc.Logical().Delete("secret/foo")
- err := v.vc.Sys().EnableAuth("app-id", "app-id", "")
- require.NoError(t, err)
- err = v.vc.Sys().EnableAuth("app-id2", "app-id", "")
- require.NoError(t, err)
- defer v.vc.Sys().DisableAuth("app-id")
- defer v.vc.Sys().DisableAuth("app-id2")
- _, err = v.vc.Logical().Write("auth/app-id/map/app-id/testappid", map[string]interface{}{
- "display_name": "test_app_id", "value": "readpol",
- })
- require.NoError(t, err)
- _, err = v.vc.Logical().Write("auth/app-id/map/user-id/testuserid", map[string]interface{}{
- "value": "testappid",
- })
- require.NoError(t, err)
- _, err = v.vc.Logical().Write("auth/app-id2/map/app-id/testappid", map[string]interface{}{
- "display_name": "test_app_id", "value": "readpol",
- })
- require.NoError(t, err)
- _, err = v.vc.Logical().Write("auth/app-id2/map/user-id/testuserid", map[string]interface{}{
- "value": "testappid",
- })
- require.NoError(t, err)
-
- o, e, err := cmd(t,
- "-d", "vault=vault:///secret",
- "-i", `{{(ds "vault" "foo").value}}`).
- withEnv("VAULT_ADDR", "http://"+v.addr).
- withEnv("VAULT_APP_ID", "testappid").
- withEnv("VAULT_USER_ID", "testuserid").
- run()
- assertSuccess(t, o, e, err, "bar")
-
- o, e, err = cmd(t,
- "-d", "vault=vault:///secret",
- "-i", `{{(ds "vault" "foo").value}}`).
- withEnv("VAULT_ADDR", "http://"+v.addr).
- withEnv("VAULT_APP_ID", "testappid").
- withEnv("VAULT_USER_ID", "testuserid").
- withEnv("VAULT_AUTH_APP_ID_MOUNT", "app-id2").
- run()
- assertSuccess(t, o, e, err, "bar")
-}
-
func TestDatasources_Vault_DynamicAuth(t *testing.T) {
v := setupDatasourcesVaultTest(t)
diff --git a/vault/auth.go b/vault/auth.go
index f14123a27..ae1f104f2 100644
--- a/vault/auth.go
+++ b/vault/auth.go
@@ -19,7 +19,6 @@ func (v *Vault) GetToken() (string, error) {
// sorted in order of precedence
authFuncs := []func() (string, error){
v.AppRoleLogin,
- v.AppIDLogin,
v.GitHubLogin,
v.UserPassLogin,
v.TokenLogin,
@@ -33,33 +32,6 @@ func (v *Vault) GetToken() (string, error) {
return "", fmt.Errorf("no vault auth methods succeeded")
}
-// AppIDLogin - app-id auth backend
-func (v *Vault) AppIDLogin() (string, error) {
- appID := env.Getenv("VAULT_APP_ID")
- userID := env.Getenv("VAULT_USER_ID")
-
- if appID == "" || userID == "" {
- return "", nil
- }
-
- mount := env.Getenv("VAULT_AUTH_APP_ID_MOUNT", "app-id")
-
- vars := map[string]interface{}{
- "user_id": userID,
- }
-
- path := fmt.Sprintf("auth/%s/login/%s", mount, appID)
- secret, err := v.client.Logical().Write(path, vars)
- if err != nil {
- return "", fmt.Errorf("appID logon failed: %w", err)
- }
- if secret == nil {
- return "", fmt.Errorf("empty response from AppID logon")
- }
-
- return secret.Auth.ClientToken, nil
-}
-
// AppRoleLogin - approle auth backend
func (v *Vault) AppRoleLogin() (string, error) {
roleID := env.Getenv("VAULT_ROLE_ID")