June 8-11The countdown to HashiConf Europe is on, and the full schedule is now live. View Schedule

Leverage Trusted Identities in Low Trust Networks

Authenticate and access different clouds, systems, and endpoints using trusted identities

The Challenge

With the proliferation of different clouds, services, and systems all with their own identity providers, organizations need a way to manage identity sprawl

The Solution

Vault merges identities across providers and uses a unified ACL system to broker access to systems and secrets

Identity-based Access Features

aws
microsoft-azure
google
kubernetes

Identity Plugins

Improve the extensibility of Vault with pluggable identity backends.

Entities

Entities

Integrated identities across platforms and using this information for policy and access control decisions.

Control Groups

Control Groups

Require multiple Identity Entities or members of Identity Groups to authorize an requested action.

# User template (user-tmpl.hcl)
# Grant permissions on user specific path
path "user-kv/data/{{identity.entity.name}}/*" {
  capabilities = [ "create", "update", "read", "delete", "list" ]
}

# For Web UI usage
path "user-kv/metadata" {
  capabilities = ["list"]
}

# Group template (group-tmpl.hcl)
# Grant permissions on the group specific path
# The region is specified in the group metadata
path "group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*" {
  capabilities = [ "create", "update", "read", "delete", "list" ]
}

# Group member can update the group information
path "identity/group/id/{{identity.groups.names.education.id}}" {
  capabilities = [ "update", "read" ]
}

# For Web UI usage
path "group-kv/metadata" {
  capabilities = ["list"]
}

path "identity/group/id" {
  capabilities = [ "list" ]
}

ACL Templates and Policy Control

Create and manage policies that authorize access control throughout your infrastructure and organization.

Identity Groups

Identity Groups

Group trusted identities into logical groups for group-based access control.

$ curl --header "X-Vault-Token: ..." \
--header "X-Vault-MFA:my_totp:695452" \
http://127.0.0.1:8200/v1/secret/foo

Multi-factor Authentication

Enforce MFA workflows when accessing a secret or a secret path.

Ready to get started?

Download
Explore Docs