Implement identity entities and groups
Vault supports multiple authentication methods and also allows enabling the same type of authentication method on different mount paths. Each Vault client may have multiple accounts with various identity providers that are enabled on the Vault server.
Vault clients can be mapped as entities and their corresponding accounts with authentication providers can be mapped as aliases. In essence, each entity is made up of zero or more aliases. Identity secrets engine internally maintains the clients who are recognized by Vault.
Personas
The steps described in this tutorial are typically performed by operations persona.
Challenge
Bob has accounts in both Github and LDAP. Both Github and LDAP auth methods are enabled on the Vault server that he can authenticate using either one of his accounts. Although both accounts belong to Bob, there is no association between the two accounts to set some common properties.
Solution
Create an entity representing Bob, and associate aliases representing each of his accounts as the entity member. You can set additional policies and metadata on the entity level so that both accounts can inherit.
When Bob authenticates using either one of his accounts, the entity identifier will be tied to the authenticated token. When such tokens are put to use, their entity identifiers are audit logged, marking a trail of actions performed by specific users.
Note
If you are running Vault Enterprise or HCP Vault Dedicated, be sure to read the Why create entities? section at the end.
Prerequisites
To perform the tasks described in this tutorial, you need to have a Vault environment.
- Refer to the Getting Started tutorial to install Vault
- jq to process the JSON output for readability
Launch Terminal
This tutorial includes a free interactive command-line lab that lets you follow along on actual cloud infrastructure.
Policy requirements
Unless you are running Vault for test or development purposes, such as dev mode (-dev
),
or with a short lived HCP Vault Dedicated dev tier cluster, it is recommended that you authenticate
with Vault and acquire a tokens with an appropriate set of policies based on your role in
the organization.
If you are connecting to a non-development Vault server, your token must have a policy with following permissions:
If you are not familiar with policies, complete the policies tutorial.
Lab setup
In a terminal, start a Vault dev server with
root
as the root token.The Vault dev server defaults to running at
127.0.0.1:8200
. The server is initialized and unsealed.Insecure operation
Do not run a Vault dev server in production. This approach starts a Vault server with an in-memory database and runs in an insecure way.
Open a new terminal and export an environment variable for the
vault
CLI to address the Vault server.Export an environment variable for the
vault
CLI to authenticate with the Vault server.
The Vault server is ready.
Create an Entity with Alias
You are going to create a new entity with base policy assigned. The entity defines two entity aliases with each has a different policy assigned.
Scenario: A user, Bob Smith at ACME Inc. happened to have two sets of
credentials: bob
and bsmith
. Bob can authenticate with Vault using either
one of their accounts. To manage the user's accounts and link them to identity
Bob Smith
in the QA team, you are going to create an entity for Bob.
For the simplicity of this tutorial, you are going to work with the userpass
auth method. In reality, the user bob
might be a username that exists in
Active Directory, and bsmith
might be Bob's username in GitHub. To mock the
behavior, you are going to enable the userpass auth method at two separate
paths: userpass-test
and userpass-qa
to mimic two different types of auth methods.
User lockout
As of Vault 1.13, the User lockout feature is enabled
by default for the userpass
, approle
, and ldap
auth methods.
Scenario Policies
Note
This scenario assumes that the K/V v2 secrets engine is enabled at
the secret
path. If you are not sure, refer to the Versioned Key/Value
Secrets Engine
tutorial.
Create bob
and bsmith
users with appropriate policies attached.
Create
base
policy.Create
test
policy.Create
team-qa
policy.List all policies to verify that
base
,test
andteam-qa
policies exist.Note
If you are using HCP Vault Dedicated, you will also see the
hcp-root
policy.Enable the
userpass
auth method atuserpass-test
.Create a new user named
bob
inuserpass-test
where the password istraining
andtest
policy is attached.Enable the
userpass
auth method at another paths,userpass-qa
.Create a new user named
bsmith
inuserpass-qa
where the password istraining
andteam-qa
policy is attached.Execute the following command to discover the mount accessor for the userpass auth method.
Each userpass auth methods has a unique Accessor value to identify it.
Run the following command to store the
userpass-test
auth accessor value in a file namedaccessor_test.txt
.The resulting file contains the accessor value (
auth_userpass_XXXXX
).Similarly, run the following command to store the
userpass-qa
auth accessor value in a file namedaccessor_qa.txt
.Create an entity for
bob-smith
, and store the returned entity ID in a file named,entity_id.txt
.The resulting file contains the entity ID for
bob-smith
(e.g.24204b50-22a6-61f5-bd4b-803f1a4e4726
).Now, add the user
bob
to thebob-smith
entity by creating an entity alias. Set a custom metadata on thebob
entity alias named, "account" and set its value to be "Tester Account".Note
To set custom metadata on the entity alias, you must run Vault 1.9 or later. If you are running Vault version earlier than v1.9, run the command without
custom_metadata=account="Tester Account"
.Example output:
To view the created entity alias, use the returned entity alias ID.
Example:
Repeat the step to add user
bsmith
to thebob-smith
entity. Set a custom metadata on thebob
entity alias named, "account" and set its value to be "QA Eng Account".Example output:
Review the entity details.
Example output: The output should include the entity aliases, metadata (organization, and team), and base policy.
Security Consideration
Avoid storing any sensitive personally identifiable information (PII) in the entity metadata. The entity metadata is replicated to other clusters if Performance Replication is configured. This may be a great concern for the GDPR. Vault 1.9 introduced the ability to set custom metadata on each entity alias that does not overlap with the metadata set by Vault. If the auth method is local to the cluster, the metadata will not be replicated to other clusters in the same performance replication group. Therefore, it is recommended to leverage the custom metadata on the entity alias instead.
Test the entity
To better understand how a token inherits the capabilities from the entity's
policy, you are going to test it by logging in as bob
.
First, login as
bob
, and store the generated client token inbob_token.txt
.The
test
policy grants CRUD operations on thesecret/test
path. Test to make sure that you can write secrets in the path.Although the username
bob
does not havebase
policy attached, the token inherits the capabilities granted in the base policy becausebob
is a member of thebob-smith
entity, and the entity has base policy attached. Check to see that the bob's token inherited the capabilities.The
base
policy grants create and read capabilities onsecret/training_*
path; thereforebob
is permitted to run create and read operations against any path starting withsecret/training_*
.What about the
secret/team-qa
path?The user
bob
only inherits capability from its associating entity's policy. The user can access thesecret/team-qa
path only if they log in withbsmith
credentials.
Create an internal group
Reset the `VAULT_TOKEN` environment variable
Log back in with the token you used to configure the entity before proceed to create an internal group. (Refer to the Lab setup section.)
Now, you are going to create an internal group named engineers
. Its member is
the bob-smith
entity that you created in the create an
entity section.
The group policy, team-eng
defines the following in the team-eng.hcl
file.
Create a new policy named
team-eng
.Create an internal group named
engineers
and addbob-smith
entity as a group member and attachteam-eng
.Example output:
Now, when you login as
bob
orbsmith
, its generated token inherits the group-level policy,team-eng
. You can perform similar tests demonstrated in the test the entity section to verify that.
Summary
By default, Vault creates an internal group. When you create an
internal group, you specify the group members rather than group
alias. Group aliases are mapping between Vault and external identity
providers (e.g. LDAP, GitHub, etc.). Therefore you define group aliases only
when you create external groups. For internal groups, you specify
member_entity_ids
and/or member_group_ids
.
Create an External Group
It is common for organizations to enable auth methods such as LDAP, Okta and perhaps GitHub to handle the Vault user authentication, and individual user's group memberships are defined within those identity providers.
In order to manage the group-level authorization, you can create an external group to link Vault with the external identity provider (auth provider) and attach appropriate policies to the group.
Example Scenario
Any user who belongs to training
team in GitHub organization,
example-inc
are permitted to perform all operations against the
secret/education
path.
Note
This scenario assumes that the GitHub organization, example-inc
exists as well as training
team within the organization.
Create a new policy named
education
.Enable GitHub auth method.
Retrieve the mount accessor for the GitHub auth method and save it in a file named
accessor_github.txt
.Configure to point to your GitHub organization.
Note
Use the actual Github organization name that exists to which you want to connect. The following uses a fictional organization name,
example-inc
as an example. If you do not change this value, the login attempt at the end of this section will not succeed.Example:
Create an external group, and store the generated group ID in
group_id.txt
.Example:
Create a group alias where
canonical_id
is the group ID and the name must be an actual GitHub team name that exists.Note
The
name
must be an actual GitHub team name that exists in the Github organization that you configured earlier. Use slugified team name.Example output:
Attempt to login as a GitHub user who is a member of the training group and enter the users personal access token.
Example output:
Summary
At this point, any GitHub user who belongs to training
team within the
example-inc
organization can authenticate with Vault. The generated token for
the user has education
policy attached.
Clean up
If you wish to clean up your environment after completing the tutorial, follow the steps in this section.
Unset the
VAULT_TOKEN
environment variable.Unset the
VAULT_ADDR
environment variable.You can stop the Vault dev server by pressing Ctrl+C where the server is running. Or, execute the following command.
For Vault Dedicated, delete the Vault instance from the HCP Portal.
Why create entities?
This tutorial used a human user, Bob Smith as an example to demonstrate the use of entities and groups. However, this concept also applies to applications.
Consider a scenario where an application uses multiple auth methods to log in with Vault. Without an entity defined to tie those multiple auth identities back to the application, the Vault server has no way of knowing the same application logged into Vault using different auth methods. As a result, each login gets counted as a new client.
This may not be an issue for Vault Community Edition users; however, this can results in unexpectedly higher client counts that affects your Vault Enterprise or Vault Dedicated billing cost.
Help and Reference
This tutorial focuses on the creation of entities and groups in Vault. Refer to Vault Limits and Maximums to understand the known upper limits when working with Vault Identities.