EventJoin us for HashiConf Global - product updates, technical sessions, workshops & more Register now

Leverage Trusted Identities in Low Trust Networks

Authenticate and access different clouds, systems, and endpoints using trusted identities
Grpahic — different identity icons around cloud tool icons

The Challenge

With the proliferation of different clouds, services, and systems all with their own identity providers, organizations need a way to manage identity sprawl

Graphic — organized idenetiy icons in boxes outline with vault icon

The Solution

Vault merges identities across providers and uses a unified ACL system to broker access to systems and secrets

Identity-based Access Features

AWS logo
Microsoft Azure logo
Google Cloud logo
Kubernetes logo
Nomad logo
Okta logo
PivotalCF logo
SSH logo
ellipsis icon

Identity Plugins

Improve the extensibility of Vault with pluggable identity backends.

Vault UI showing entity entries

Entities

Integrated identities across platforms and using this information for policy and access control decisions.

'Control Groups' UI prompting authorization

Control Groups

Require multiple Identity Entities or members of Identity Groups to authorize an requested action.

# User template (user-tmpl.hcl)
# Grant permissions on user specific path
path "user-kv/data/{{identity.entity.name}}/*" {
  capabilities = [ "create", "update", "read", "delete", "list" ]
}

# For Web UI usage
path "user-kv/metadata" {
  capabilities = ["list"]
}

# Group template (group-tmpl.hcl)
# Grant permissions on the group specific path
# The region is specified in the group metadata
path "group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*" {
  capabilities = [ "create", "update", "read", "delete", "list" ]
}

# Group member can update the group information
path "identity/group/id/{{identity.groups.names.education.id}}" {
  capabilities = [ "update", "read" ]
}

# For Web UI usage
path "group-kv/metadata" {
  capabilities = ["list"]
}

path "identity/group/id" {
  capabilities = [ "list" ]
}
# User template (user-tmpl.hcl)# Grant permissions on user specific pathpath "user-kv/data/{{identity.entity.name}}/*" {  capabilities = [ "create", "update", "read", "delete", "list" ]} # For Web UI usagepath "user-kv/metadata" {  capabilities = ["list"]} # Group template (group-tmpl.hcl)# Grant permissions on the group specific path# The region is specified in the group metadatapath "group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*" {  capabilities = [ "create", "update", "read", "delete", "list" ]} # Group member can update the group informationpath "identity/group/id/{{identity.groups.names.education.id}}" {  capabilities = [ "update", "read" ]} # For Web UI usagepath "group-kv/metadata" {  capabilities = ["list"]} path "identity/group/id" {  capabilities = [ "list" ]}

ACL Templates and Policy Control

Create and manage policies that authorize access control throughout your infrastructure and organization.

Vault UI showing admin members entries

Identity Groups

Group trusted identities into logical groups for group-based access control.

$ curl --header "X-Vault-Token: ..." \
--header "X-Vault-MFA:my_totp:695452" \
http://127.0.0.1:8200/v1/secret/foo
$ curl --header "X-Vault-Token: ..." \--header "X-Vault-MFA:my_totp:695452" \http://127.0.0.1:8200/v1/secret/foo

Multi-factor Authentication

Enforce MFA workflows when accessing a secret or a secret path.

Ready to get started?

Download
Explore Docs