Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Vault Human Authentication : Entity vs Alias
#!/bin/bash
# A user, Bob Smith at ACME Inc.
# happened to have two sets of credentials: bob and bsmith.
# To manage his accounts and link them to an identity Bob Smith,
# you are going to create an entity for Bob.
vault login root
# 01. it should be github, ldap.
# .. but for demo purpose userpass is enough
vault auth enable userpass
# 02.a new policy named base
cat > base.hcl <<EOF
path "secret/data/training*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
EOF
# 02.b create the policy base
vault policy write base base.hcl
## validate: vault policy read base
# 02.c more policies
cat > test.hcl <<EOF
path "secret/data/test" {
capabilities = [ "create", "read", "update", "delete" ]
}
EOF
cat > team-qa <<EOF
path "secret/data/team/qa" {
capabilities = [ "create", "read", "update", "delete" ]
}
EOF
# 02.d create policies
vault policy write test test.hcl
vault policy write team-qa team-qa.hcl
## validate: vault policy list
###### 03. Create users ####
# Create a new user in userpass backend:
# username: bob
# password: training
# policy: test
vault write auth/userpass/users/bob password="training" \
policies="test"
# Create another user in userpass backend:
# username: bsmith
# password: training
# policy: team-qa
vault write auth/userpass/users/bsmith password="training" \
policies="team-qa"
#!/bin/bash
# 01. discover the mount accessor for the userpass auth method
vault auth list \
-format=json | jq -r '.["userpass/"].accessor' > accessor.txt
## e.g: auth_userpass_58c45e44
vault auth list -detailed
## => Output includes the accessor ID for each auth method enabled on your Vault server.
## => For example, if LDAP and Okta auth methods were enabled on your server, the output includes the accessor ID for those methods:
# 02. Create New entity
vault write -format=json identity/entity name="bob-smith" \
policies="base" \
metadata=organization="ACME Inc." \
metadata=team="QA" \
| jq -r ".data.id" > entity_id.txt
# 03. add user bob to the bob-smith entity by creating an entity alias:
vault write identity/entity-alias name="bob" \
canonical_id=$(cat entity_id.txt) \
mount_accessor=$(cat accessor.txt)
vault write identity/entity-alias name="bsmith" \
canonical_id=$(cat entity_id.txt) \
mount_accessor=$(cat accessor.txt)
# 04. Read entity details
vault read identity/entity/id/$(cat entity_id.txt)
## --- Json format
vault read -format=json identity/entity/id/$(cat entity_id.txt)
#!/bin/bash
# 01. login as bob:
vault login -method=userpass username=bob password=training
##-- ouput must show
#-----------------
# token_policies ["default" "test"]
# identity_policies ["base"]
# policies ["base" "default" "test"]
#-----------------
# > test policy is attached directly to the user
# > base policy is inherited from his entity policies
# 02. Validate capability of test policy
vault kv put secret/test owner="bob"
# 03. check : Does current token has permissions on path ?
vault token capabilities secret/data/team/qa
###--> it does not have.
### team-qa policy must be attached to user (bob) or its entity in order to have access
#!/bin/bash
## 00. Log back in with the root token:
vault login root
## 01. create new policy team-eng
cat > team-eng.hcl <<EOF
path "secret/data/team/eng" {
capabilities = [ "create", "read", "update", "delete" ]
}
EOF
vault policy write team-eng team-eng.hcl
# 02. create an internal group named, engineers
# -- and add bob-smith entity as a group member.
# -- Also, assign the newly created team-eng policy to the group.
vault write -format=json identity/group name="engineers" \
policies="team-eng" \
member_entity_ids=$(cat entity_id.txt) \
metadata=team="Engineering" \
metadata=region="North America" \
| jq -r ".data.id" > group_id.txt
# 03. Read details of Group
vault read identity/group/id/$(cat group_id.txt)

By default, Vault creates an internal group.

When you create an internal group, you specify the group members, so you don't specify any group alias.

Group aliases are mapping between Vault and external identity providers (e.g. LDAP, GitHub, etc.).

Therefore, you define group aliases only when you create external groups.

For internal groups, you have member_entity_ids and/or member_group_ids instead.

example internal group creation

vault write -format=json identity/group name="engineers" \
      policies="team-eng" \
      member_entity_ids=$(cat entity_id.txt) \
      metadata=team="Engineering" \
      metadata=region="North America" \
      | jq -r ".data.id" > group_id.txt
#!/bin/bash
# 01. login with user
vault login -method=userpass username="bsmith" \
password="training"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment