From 8654dd6a5c5c36cabf97480fe44dae7c1bd582f9 Mon Sep 17 00:00:00 2001
From: JMGoldsmith <spartanaudio@gmail.com>
Date: Fri, 19 Apr 2024 16:32:12 +0000
Subject: [PATCH] backport of commit 7b4f6409c6f0f2a3ddb61d302352f6eaac928e25

---
 website/content/api-docs/auth/approle.mdx     | 1 +
 website/content/docs/auth/approle.mdx         | 6 ++++--
 website/content/partials/tokenstorefields.mdx | 3 ++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/website/content/api-docs/auth/approle.mdx b/website/content/api-docs/auth/approle.mdx
index cc731a55029d..8d409dd6f158 100644
--- a/website/content/api-docs/auth/approle.mdx
+++ b/website/content/api-docs/auth/approle.mdx
@@ -85,6 +85,7 @@ include a-Z, 0-9, space, hyphen, underscore and periods.
 
 ```json
 {
+  "token_type": "batch",
   "token_ttl": "10m",
   "token_max_ttl": "15m",
   "token_policies": ["default"],
diff --git a/website/content/docs/auth/approle.mdx b/website/content/docs/auth/approle.mdx
index 375e23b8776a..436911e7b66e 100644
--- a/website/content/docs/auth/approle.mdx
+++ b/website/content/docs/auth/approle.mdx
@@ -12,7 +12,8 @@ The `approle` auth method allows machines or _apps_ to authenticate with
 Vault-defined _roles_. The open design of `AppRole` enables a varied set of
 workflows and configurations to handle large numbers of apps. This auth method
 is oriented to automated workflows (machines and services), and is less useful
-for human operators.
+for human operators. We recommend using `batch` tokens with the
+ `AppRole` auth method.
 
 An "AppRole" represents a set of Vault policies and login constraints that must
 be met to receive a token with those policies. The scope can be as narrow or
@@ -91,6 +92,7 @@ management tool.
 
    ```shell-session
    $ vault write auth/approle/role/my-role \
+       token_type=batch \
        secret_id_ttl=10m \
        token_num_uses=10 \
        token_ttl=20m \
@@ -138,7 +140,7 @@ documentation.
    $ curl \
        --header "X-Vault-Token: ..." \
        --request POST \
-       --data '{"policies": "dev-policy,test-policy"}' \
+       --data '{"policies": "dev-policy,test-policy", "token_type": "batch"}' \
        http://127.0.0.1:8200/v1/auth/approle/role/my-role
    ```
 
diff --git a/website/content/partials/tokenstorefields.mdx b/website/content/partials/tokenstorefields.mdx
index d84a94df25d0..3151876e033a 100644
--- a/website/content/partials/tokenstorefields.mdx
+++ b/website/content/partials/tokenstorefields.mdx
@@ -19,4 +19,5 @@
   unless changed will be `service` tokens). For token store roles, there are two
   additional possibilities: `default-service` and `default-batch` which specify
   the type to return unless the client requests a different type at generation
-  time.
+  time. For machine based authentication cases, you should use `batch` 
+  type tokens.