search
githubEdit

Vault Entities

  • Vault creates an entity and attaches an alias to it if a corresponding entity doesn't already exist using identity secrets engine, which manages internal identities that are recognized by Vault

  • An entity is an representation of a single person or system used to log into Vault. Each has a unique value. Each entry is made up of zero or more aliases

  • Alias is a combination of the auth method plus some identification. It is mapping between an entity and auth method(s)

  • Example

  - UesrPass: usera (alias)
  - Entity_id: 57489015718940-8971509459140-571489
  - metadata:
    - department: accounting
    - office: Office A
    - team: payrole

  • This user may have many auth options: userpass, ldap, github, so she has another login like below

  - ldap: [email protected]
  - entity_id: 4890471900-1-41-45145-415414
  - department: finance
  - team: management

  • An entity can be manually created to map multiple entities for a single user to provide more efficient authorization management

  • Any tokens that are created for the entity inherit the capabilities that are granted by aliases

  User: User A
  Aliases: Userpass, LDAP

  - Name User A
  - entity_id: 849674019-459145413-5134-5134
  - Policy: management
  - Aliases:
    - Userpass: usera
      entity_id: 40156140561-45614-14-514354361
      policy: accounting
    - LDAP: [email protected]
      entity_id: 41794014-04643-643890614-46146

  • When logging on, user inherits capabilities granted by both policies: management and accounting

hashtag
Create Vault Entities

  • vault write identity/entity name="User A" policies=manager

  • vault write identity/entity-alias name="UserA" canonical_id="$id from above identity/entity command" mount_accessor="$accessor-of-vault-auth-list-command"

hashtag
Vault Identity Groups

  • A group can contain multiple entities as its members

  • A group can also have subgroups

  • Policies can be set on the group and the permissions will be granted to all members of the group

  • Internal group: group created in vault to group entities to propagate identical permissions (created manually) Alt text

  • External groupL: Groups which Vault infers and creates based on group associations coming from auth methods (created manually or automatically)

    • Allow to setup once in Vault and continue to manage permissions in identity provider

    • Note that the group name must match the group name in identity provider Alt text

PreviousAuthenticationNextPolicy

Last updated