Authenticate and access different clouds, systems, and endpoints using trusted identities
With the proliferation of different clouds, services, and systems all with their own identity providers, organizations need a way to manage identity sprawl
Vault merges identities across providers and uses a unified ACL system to broker access to systems and secrets
Improve the extensibility of Vault with pluggable identity backends
Integrated identities across platforms and using this information for policy and access control decisions.
Require multiple Identity Entities or members of Identity Groups to authorize an requested action.
Create and manage policies that authorize access control throughout your infrastructure and organization
- # User template (user-tmpl.hcl)
- # Grant permissions on user specific path
- path "user-kv/data/{{identity.entity.name}}/*" {
- capabilities = [ "create", "update", "read", "delete", "list" ]
- }
- # For Web UI usage
- path "user-kv/metadata" {
- capabilities = ["list"]
- }
- # Group template (group-tmpl.hcl)
- # Grant permissions on the group specific path
- # The region is specified in the group metadata
- path "group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*" {
- capabilities = [ "create", "update", "read", "delete", "list" ]
- }
- # Group member can update the group information
- path "identity/group/id/{{identity.groups.names.education.id}}" {
- capabilities = [ "update", "read" ]
- }
- # For Web UI usage
- path "group-kv/metadata" {
- capabilities = ["list"]
- }
- path "identity/group/id" {
- capabilities = [ "list" ]
- }
Group trusted identities into logical groups for group-based access control.
Enforce MFA workflows when accessing a secret or a secret path
- $ curl --header "X-Vault-Token: ..." \
- --header "X-Vault-MFA:my_totp:695452" \
- http://127.0.0.1:8200/v1/secret/foo