Leverage Trusted Identities in Low Trust Networks

Authenticate and access different clouds, systems, and endpoints using trusted identities

The Challenge

With the proliferation of different clouds, services, and systems all with their own identity providers, organizations need a way to manage identity sprawl

The Solution

Vault merges identities across providers and uses a unified ACL system to broker access to systems and secrets

Identity-based Access Features

Identity Plugins

Improve the extensibility of Vault with pluggable identity backends

Entities

Integrated identities across platforms and using this information for policy and access control decisions.

Control Groups

Require multiple Identity Entities or members of Identity Groups to authorize an requested action.

ACL Templates and Policy Control

Create and manage policies that authorize access control throughout your infrastructure and organization

  1. # User template (user-tmpl.hcl)
  2. # Grant permissions on user specific path
  3. path "user-kv/data/{{identity.entity.name}}/*" {
  4. capabilities = [ "create", "update", "read", "delete", "list" ]
  5. }
  6. # For Web UI usage
  7. path "user-kv/metadata" {
  8. capabilities = ["list"]
  9. }
  10. # Group template (group-tmpl.hcl)
  11. # Grant permissions on the group specific path
  12. # The region is specified in the group metadata
  13. path "group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*" {
  14. capabilities = [ "create", "update", "read", "delete", "list" ]
  15. }
  16. # Group member can update the group information
  17. path "identity/group/id/{{identity.groups.names.education.id}}" {
  18. capabilities = [ "update", "read" ]
  19. }
  20. # For Web UI usage
  21. path "group-kv/metadata" {
  22. capabilities = ["list"]
  23. }
  24. path "identity/group/id" {
  25. capabilities = [ "list" ]
  26. }

Identity Groups

Group trusted identities into logical groups for group-based access control.

Multi-factor Authentication

Enforce MFA workflows when accessing a secret or a secret path

  1. $ curl --header "X-Vault-Token: ..." \
  2. --header "X-Vault-MFA:my_totp:695452" \
  3. http://127.0.0.1:8200/v1/secret/foo

Ready to get started?

Download Explore Docs