Auth Methods, Entities and Groups

Auth Methods

• These are vault components that perform authentication and manages identities.
• Responsible for assigning identity and policies to a user.
• Multiple auth methods can be enables based on use case.
• Tokens are the core method of authentication within vault
• Most operations in vault require an existing token
• Token auth method is responsible for creating and storing tokens

Note

When authentication requests are sent to vault, vault issues a token to make all subsequent vault operations (read / write).

• The fundamental goal is to obtain a token.
• Each token has a associated policy (or policies) and a TTL.

Note

• Token auth method can’t be disabled, enabled by default.
• A new vault has only one way to authenticate, which is the root token.
• Authentication with another auth method (LDAP, OIDC, …), will generate a token.
• If a request to vault does not supply for read write of values and other things, vault throws 403 access denied.

Auth Methods Workflow

1. User authenticates with credentials
2. Validate credentials against provider (auth provider, could be OIDC, LDAP …)
3. Generate vault token and attach policy or policies and a TTL
4. Supply token to user
5. User then uses that token for doing operations in vault

There are a lot of auth methods, see them at docs at 🌐

Configuring Auth Methods

COMMAND	EFFECT
vault auth enable -path=AUTH_METHOD_PATH -description="DESCRIPTION" AUTH_METHOD	Enable auth method at path, default path picked if path not supplied
vault auth disable AUTH_METHOD_PATH	Disable auth method
vault auth list	List auth methods
vault write auth/AUTH_METHOD_PATH/OPTIONS PARAMETERS	Configure auth method
vault auth tune AUTH_METHOD_PATH PARAMETERS	Modify vault auth method

Tip

The config parameters for auth method could be: secret_id_ttl, token_num_uses, token_ttl, token_max_ttl, secret_id_num_uses, …

See more configuration parameters at 🌐

Note

System vs Human auth methods

HUMAN	MACHINE
Integrates with identity provider	Non human friendly tech
Require hands on	Usually integrates with existing platform
Often integrated with MFA	Vault validates credentials with the platform

Human Auth Methods: Userpass, LDAP, Active Directory, GitHub, OIDC, RADIUS, TLS Certificates, JWT, Okta, Kubernetes, … Machine Auth Methods: AppRole, AWS IAM, Azure Managed Identity, GCP, Kubernetes, TLS Certificates, Cert, …

Vault Entities

• Vault creates an entity every time a user logs in and attaches an alias to it if a corresponding entiry doesn’t already exist. The alias is combination of auth method and username or user ID

• An entity is a representation of a single person or system used to log into the vault. Each has unique value, each entity is made of zero or more aliases.

• Alias is a combination of auth method plus some identification. It is a mapping between an entity and auth method(s).

• This is done using the Identity secrets engine, which manages internal identities that are recognized by vault. Identity secrets engine is default enabled and can’t be disabled, another instance of identity secrets engine also can’t be created.

• Operators explicitly create and manage entities; Vault does not automatically sync identity information from external sources.

• An entity can be created manually to map multiple entities for a single user to provide more efficient authorization management.

• Any tokens created for the entity inherit the capabilities that are granted by alias(es).

• This manually created entity has aliases to other entities that are required for inherited properties.

• Policies get combined or we can say united from the particular alias and the current manual entity.

Note

Policy or policies and metadata can be attach to an entity.

Metadata is key value data.

Tip

One single user can have different entity IDs based on which auth method is used.

The same user can have different policies attached based on which auth method is used.

Similarly for metadata.

Caution

Issue: The user in the above case with multiple entities and policies need to logout and login to switch policies and auth methods to get different requirement work.

Solution: Create an entity in the vault that maps to multiple entities for a single user to provide more effecient authorization management

Note

Entities and Aliases Diagrams

Same User: Different Entities, Auth Methods, Policies and Metadata

architecture-beta
    group entity1(fluentcolor:clipboard-16)[ENTITY_1]
        service Policies1(fluentcolor:document-text-16)[POLICIES_1] in entity1
        service Metadata1(fluentcolor:database-16)[METADATA_1] in entity1
        service Username1(fluentcolor:person-16)[USERNAME_1] in entity1
        service AuthMethod1(fluentcolor:lock-closed-16)[AUTH_METHOD_1] in entity1
        service Entity_id_1(fluentcolor:slide-text-sparkle-16)[ENTITY_ID_1] in entity1

        Entity_id_1:R -- L:Username1
        Username1:R -- L:AuthMethod1
        AuthMethod1:R -- L:Policies1
        Policies1:R -- L:Metadata1

    group entity2(fluentcolor:clipboard-16)[ENTITY_2]
        service Policies2(fluentcolor:document-text-16)[POLICIES_2] in entity2
        service Metadata2(fluentcolor:database-16)[METADATA_2] in entity2
        service Username2(fluentcolor:person-16)[USERNAME_2] in entity2
        service AuthMethod2(fluentcolor:lock-closed-16)[AUTH_METHOD_2] in entity2
        service Entity_id_2(fluentcolor:slide-text-sparkle-16)[ENTITY_ID_2] in entity2

        Entity_id_2:R -- L:Username2
        Username2:R -- L:AuthMethod2
        AuthMethod2:R -- L:Policies2
        Policies2:R -- L:Metadata2

    group entity3(fluentcolor:clipboard-16)[ENTITY_3]
        service Policies3(fluentcolor:document-text-16)[POLICIES_3] in entity3
        service Metadata3(fluentcolor:database-16)[METADATA_3] in entity3
        service Username3(fluentcolor:person-16)[USERNAME_3] in entity3
        service AuthMethod3(fluentcolor:lock-closed-16)[AUTH_METHOD_3] in entity3
        service Entity_id_3(fluentcolor:slide-text-sparkle-16)[ENTITY_ID_3] in entity3

        Entity_id_3:R -- L:Username3
        Username3:R -- L:AuthMethod3
        AuthMethod3:R -- L:Policies3
        Policies3:R -- L:Metadata3

    service User(fluentcolor:person-starburst-16)[USER]
    junction j1
    junction j2
    junction j3

    j1:B -- T:j2
    j2:B -- T:j3

    User:R -- L:j2
    j1:R -- L:Entity_id_1
    j2:R -- L:Entity_id_2
    j3:R -- L:Entity_id_3

Entity Managed Multiple Auth Methods and Policies

architecture-beta
    group masterEntity(fluentcolor:clipboard-16)[HIGHER_ENTITY]
        service masterPolicies(fluentcolor:document-text-16)[ENTITY_POLICIES] in masterEntity
        service masterUsername(fluentcolor:person-16)[ENTITY_USERNAME] in masterEntity
        service masterEntity_id(fluentcolor:slide-text-sparkle-16)[ENTITY_ID] in masterEntity
        group aliases(fluentcolor:link-multiple-16)[ALIASES]
            group entity1(fluentcolor:clipboard-16)[ENTITY_1] in aliases
                service Policies1(fluentcolor:document-text-16)[POLICIES_1] in entity1
                service Metadata1(fluentcolor:database-16)[METADATA_1] in entity1
                service Username1(fluentcolor:person-16)[USERNAME_1] in entity1
                service AuthMethod1(fluentcolor:lock-closed-16)[AUTH_METHOD_1] in entity1
                service Entity_id_1(fluentcolor:slide-text-sparkle-16)[ENTITY_ID_1] in entity1

                Entity_id_1:R -- L:Username1
                Username1:R -- L:AuthMethod1
                AuthMethod1:R -- L:Policies1
                Policies1:R -- L:Metadata1
            
            group entity2(fluentcolor:clipboard-16)[ENTITY_2] in aliases
                service Policies2(fluentcolor:document-text-16)[POLICIES_2] in entity2
                service Metadata2(fluentcolor:database-16)[METADATA_2] in entity2
                service Username2(fluentcolor:person-16)[USERNAME_2] in entity2
                service AuthMethod2(fluentcolor:lock-closed-16)[AUTH_METHOD_2] in entity2
                service Entity_id_2(fluentcolor:slide-text-sparkle-16)[ENTITY_ID_2] in entity2

                Entity_id_2:R -- L:Username2
                Username2:R -- L:AuthMethod2
                AuthMethod2:R -- L:Policies2
                Policies2:R -- L:Metadata2
    
            group entity3(fluentcolor:clipboard-16)[ENTITY_3] in aliases
                service Policies3(fluentcolor:document-text-16)[POLICIES_3] in entity3
                service Metadata3(fluentcolor:database-16)[METADATA_3] in entity3
                service Username3(fluentcolor:person-16)[USERNAME_3] in entity3
                service AuthMethod3(fluentcolor:lock-closed-16)[AUTH_METHOD_3] in entity3
                service Entity_id_3(fluentcolor:slide-text-sparkle-16)[ENTITY_ID_3] in entity3

                Entity_id_3:R -- L:Username3
                Username3:R -- L:AuthMethod3
                AuthMethod3:R -- L:Policies3
                Policies3:R -- L:Metadata3

        junction j1
        junction j2
        junction j3


        j1:B -- T:j2
        j2:B -- T:j3

        j1:R -- L:Entity_id_1
        j2:R -- L:Entity_id_2
        j3:R -- L:Entity_id_3

        masterEntity_id:R -- L:j2

        masterEntity_id:L -- R:masterUsername
        masterUsername:L -- R:masterPolicies

• The user has the policies of the entity and the alias attached. If the user logs in using AUTH_METHOD_1, the policies attached will be ENTITY_POLICIES U POLICIES_1

Managing Entities

List Entities (Only IDs):

vault list identity/entity/id

Read Entity Details:

vault read identity/entity/id/ENTITY_ID

Read Entity ID using Name:

vault read -field=id identity/entity/name/ENTITY_NAME

Create Entity:

vault write identity/entity name="ENTITY_NAME" policies="POLICIES" metadata=METADATA

Update Entity(Name, Metadata, Policies):

vault write identity/entity/id/ENTITY_ID name="NEW_NAME" metadata=METADATA policies="POLICIES"

Delete Entity:

vault delete identity/entity/id/ENTITY_ID

Create Alias in Entity:

ENTITY_ID=$(vault read -field=id identity/entity/name/ENTITY_NAME)
USERPASS_ACCESSOR=$(vault auth list -format=json | jq -r '.[\"AUTH_METHOD_MOUNT_PATH/\"].accessor')
vault write identity/entity-alias name="ALIAS_NAME" canonical_id="$ENTITY_ID" mount_accessor="$USERPASS_ACCESSOR"

Delete Alias in Entity:

vault delete identity/entity-alias/id/ALIAS_ID

Tip

List Entities with ID, Name, Creation Time, Metadata, …

for id in $(vault list -format=json identity/entity/id | jq -r '.[]'); do
  echo "Entity ID: $id"
  vault read -format=json identity/entity/id/$id | jq '{name: .data.name, metadata: .data.metadata, creation_time: .data.creation_time}'
done

Vault Groups

• A group contains multiple entities as its members
• A group can also have subgroups
• Policies can be set to group and the permissions will be granted to all members of the group

Note

There are 2 different types of Groups:

Internal: Groups in vault created to group entities to propagate identical permissions. Its created manually.

External: Groups which vault infers and creates based on group associations coming from auth methods. Its created manually or automatically

Internal Groups

• Used to easily manage permissions for entities
• Frequently used when using vault namespaces to propagate permissions down to child namespaces
  • Helpful when the admin do not want to configure an identical auth method on every single namespace External Groups
• Used to set permissions based on group members from an external identity provider. Such as Okta, OIDC, …
• Allows admin to set up once and continue manage permissions and users in the identity provider instead of vault.

Note

Group Diagrams

Simple Groups

architecture-beta
    group usergroup(fluentcolor:clipboard-16)[GROUP]
        service groupPolicies(fluentcolor:document-text-16)[GROUP_POLICIES] in usergroup
        service groupName(fluentcolor:person-16)[GROUP_NAME] in usergroup
        group grpmembers(fluentcolor:link-multiple-16)[GROUP_MEMBERS]
            group entity1(fluentcolor:clipboard-16)[ENTITY_1] in grpmembers
                service Policies1(fluentcolor:document-text-16)[POLICIES_1] in entity1
                service Metadata1(fluentcolor:database-16)[METADATA_1] in entity1
                service Username1(fluentcolor:person-16)[USERNAME_1] in entity1
                service AuthMethod1(fluentcolor:lock-closed-16)[AUTH_METHOD_1] in entity1
                service Entity_id_1(fluentcolor:slide-text-sparkle-16)[ENTITY_ID_1] in entity1

                Entity_id_1:R -- L:Username1
                Username1:R -- L:AuthMethod1
                AuthMethod1:R -- L:Policies1
                Policies1:R -- L:Metadata1
            
            group entity2(fluentcolor:clipboard-16)[ENTITY_2] in grpmembers
                service Policies2(fluentcolor:document-text-16)[POLICIES_2] in entity2
                service Metadata2(fluentcolor:database-16)[METADATA_2] in entity2
                service Username2(fluentcolor:person-16)[USERNAME_2] in entity2
                service AuthMethod2(fluentcolor:lock-closed-16)[AUTH_METHOD_2] in entity2
                service Entity_id_2(fluentcolor:slide-text-sparkle-16)[ENTITY_ID_2] in entity2

                Entity_id_2:R -- L:Username2
                Username2:R -- L:AuthMethod2
                AuthMethod2:R -- L:Policies2
                Policies2:R -- L:Metadata2
    
            group entity3(fluentcolor:clipboard-16)[ENTITY_3] in grpmembers
                service Policies3(fluentcolor:document-text-16)[POLICIES_3] in entity3
                service Metadata3(fluentcolor:database-16)[METADATA_3] in entity3
                service Username3(fluentcolor:person-16)[USERNAME_3] in entity3
                service AuthMethod3(fluentcolor:lock-closed-16)[AUTH_METHOD_3] in entity3
                service Entity_id_3(fluentcolor:slide-text-sparkle-16)[ENTITY_ID_3] in entity3

                Entity_id_3:R -- L:Username3
                Username3:R -- L:AuthMethod3
                AuthMethod3:R -- L:Policies3
                Policies3:R -- L:Metadata3

        junction j1
        junction j2
        junction j3


        j1:B -- T:j2
        j2:B -- T:j3

        j1:R -- L:Entity_id_1
        j2:R -- L:Entity_id_2
        j3:R -- L:Entity_id_3

        groupName:R -- L:j2

        groupName:L -- R:groupPolicies

Hierarchical Groups

architecture-beta
    group usergroup(fluentcolor:clipboard-16)[GROUP]
        service groupPolicies(fluentcolor:document-text-16)[GROUP_POLICIES] in usergroup
        service groupName(fluentcolor:person-16)[GROUP_NAME] in usergroup
        group grpmembers(fluentcolor:link-multiple-16)[GROUP_MEMBERS]
            group entity1(fluentcolor:clipboard-16)[ENTITY_1] in grpmembers
                service Policies1(fluentcolor:document-text-16)[POLICIES_1] in entity1
                service Metadata1(fluentcolor:database-16)[METADATA_1] in entity1
                service Username1(fluentcolor:person-16)[USERNAME_1] in entity1
                service AuthMethod1(fluentcolor:lock-closed-16)[AUTH_METHOD_1] in entity1
                service Entity_id_1(fluentcolor:slide-text-sparkle-16)[ENTITY_ID_1] in entity1

                Entity_id_1:R -- L:Username1
                Username1:R -- L:AuthMethod1
                AuthMethod1:R -- L:Policies1
                Policies1:R -- L:Metadata1
            
            group entity2(fluentcolor:clipboard-16)[ENTITY_2] in grpmembers
                service Policies2(fluentcolor:document-text-16)[POLICIES_2] in entity2
                service Metadata2(fluentcolor:database-16)[METADATA_2] in entity2
                service Username2(fluentcolor:person-16)[USERNAME_2] in entity2
                service AuthMethod2(fluentcolor:lock-closed-16)[AUTH_METHOD_2] in entity2
                service Entity_id_2(fluentcolor:slide-text-sparkle-16)[ENTITY_ID_2] in entity2

                Entity_id_2:R -- L:Username2
                Username2:R -- L:AuthMethod2
                AuthMethod2:R -- L:Policies2
                Policies2:R -- L:Metadata2
    
            group group1(fluentcolor:clipboard-16)[GROUP_1] in grpmembers
                service groupPolicies1(fluentcolor:document-text-16)[POLICIES_3] in group1
                service groupName1(fluentcolor:person-16)[USERNAME_3] in group1

                groupName1:R -- L:groupPolicies1

        junction j1
        junction j2
        junction j3

        j1:B -- T:j2
        j2:B -- T:j3

        j1:R -- L:Entity_id_1
        j2:R -- L:Entity_id_2
        j3:R -- L:groupName1

        group groupMembers1(fluentcolor:link-multiple-16)[GROUP_1_MEMBERS]
            group entity3(fluentcolor:clipboard-16)[ENTITY_3] in groupMembers1
                service Policies3(fluentcolor:document-text-16)[POLICIES_1] in entity3
                service Metadata3(fluentcolor:database-16)[METADATA_1] in entity3
                service Username3(fluentcolor:person-16)[USERNAME_1] in entity3
                service AuthMethod3(fluentcolor:lock-closed-16)[AUTH_METHOD_1] in entity3
                service Entity_id_3(fluentcolor:slide-text-sparkle-16)[ENTITY_ID_1] in entity3

                Entity_id_3:R -- L:Username3
                Username3:R -- L:AuthMethod3
                AuthMethod3:R -- L:Policies3
                Policies3:R -- L:Metadata3
            
            group entity4(fluentcolor:clipboard-16)[ENTITY_4] in groupMembers1
                service Policies4(fluentcolor:document-text-16)[POLICIES_2] in entity4
                service Metadata4(fluentcolor:database-16)[METADATA_2] in entity4
                service Username4(fluentcolor:person-16)[USERNAME_2] in entity4
                service AuthMethod4(fluentcolor:lock-closed-16)[AUTH_METHOD_2] in entity4
                service Entity_id_4(fluentcolor:slide-text-sparkle-16)[ENTITY_ID_2] in entity4

                Entity_id_4:R -- L:Username4
                Username4:R -- L:AuthMethod4
                AuthMethod4:R -- L:Policies4
                Policies4:R -- L:Metadata4

            junction j4
            junction j5

            j4:B -- T:j5
            j4:R -- L:Entity_id_3
            j5:R -- L:Entity_id_4

            groupName1:B -- T:j4

        groupName:R -- L:j2

        groupName:L -- R:groupPolicies

Managing Groups

Create Group:

vault write identity/group name="NAME" type="internal" policies="POLICIES" member_entity_ids="ENTITY_IDS" metadata=METADATA

List Groups:

vault list identity/group/id

Read Group Details:

vault read identity/group/id/GROUP_ID

Update Group:

vault write identity/group/id/GROUP_ID policies="POLICIES" member_entity_ids="ENTITY_IDS" metadata=METADATA

Delete a Group:

vault delete identity/group/id/GROUP_ID

Add Members to Group:

CURRENT_MEMBERS=$(vault read -field=member_entity_ids identity/group/id/GROUP_ID)
NEW_MEMBERS="NEW_ENTITY_IDS"
UPDATED_MEMBERS="$CURRENT_MEMBERS,$NEW_MEMBERS"
vault write identity/group/id/GROUP_ID member_entity_ids="$UPDATED_MEMBERS"

Remove Members from Group:

CURRENT_MEMBERS=$(vault read -field=member_entity_ids identity/group/id/GROUP_ID)
# Remove members from the list in CURRENT_MEMBERS using shell/text tools, then update:
UPDATED_MEMBERS="LIST_OF_REMAINING_MEMBERS_AFTER_REMOVAL"
vault write identity/group/id/GROUP_ID member_entity_ids="$UPDATED_MEMBERS"

Add Member Groups to Group:

CURRENT_MEMBERS=$(vault read -field=member_group_ids identity/group/id/GROUP_ID)
UPDATED_MEMBERS="$CURRENT_MEMBERS,NEW_SUBGROUP_ID"
vault write identity/group/id/GROUP_ID member_group_ids="$UPDATED_MEMBERS"

Remove Member Groups from Group:

CURRENT_MEMBERS=$(vault read -field=member_group_ids identity/group/id/GROUP_ID)
# Remove subgroups in CURRENT_MEMBERS, then update:
UPDATED_MEMBERS="LIST_OF_REMAINING_SUBGROUPS_AFTER_REMOVAL"
vault write identity/group/id/GROUP_ID member_group_ids="$UPDATED_MEMBERS"

Note

Groups follow a rewrite approach when updating members, where all the users are rewritten instead of addition or deletion

Tip

List Groups with ID, Name, Policies, Metadata, …

for id in $(vault list -format=json identity/group/id | jq -r '.[]'); do
  echo "Group ID: $id"
  vault read -format=json identity/group/id/$id | jq '{name: .data.name, metadata: .data.metadata, policies: .data.policies}'
done

Tip

Groups and Entities (custom) can be used to create more complex setup to simplify management