abdennour/00-entity-vs-alias-vault.png

## 00-entity-vs-alias-vault.png

      
    Raw
  

              00-entity-vs-alias-vault.png
            
          
## 01-create-policies-and-users.sh
#!/bin/bash

# A user, Bob Smith at ACME Inc.
# happened to have two sets of credentials: bob and bsmith.
# To manage his accounts and link them to an identity Bob Smith,
# you are going to create an entity for Bob.

vault login root
# 01. it should be github, ldap.
# .. but for demo purpose userpass is enough
vault auth enable userpass

# 02.a new policy named base
cat > base.hcl <<EOF

path "secret/data/training*" {
   capabilities = ["create", "read", "update", "delete", "list"]
}
EOF
# 02.b create the policy base
vault policy write base base.hcl
## validate: vault policy read base

# 02.c more policies
cat > test.hcl <<EOF
path "secret/data/test" {
   capabilities = [ "create", "read", "update", "delete" ]
}
EOF

cat > team-qa <<EOF
path "secret/data/team/qa" {
   capabilities = [ "create", "read", "update", "delete" ]
}
EOF

# 02.d create policies
vault policy write test test.hcl
vault policy write team-qa team-qa.hcl
## validate: vault policy list

###### 03. Create users ####

# Create a new user in userpass backend:

# username: bob
# password: training
# policy: test

vault write auth/userpass/users/bob password="training" \
    policies="test"

# Create another user in userpass backend:

# username: bsmith
# password: training
# policy: team-qa

vault write auth/userpass/users/bsmith password="training" \
      policies="team-qa"


## 02-create-entities-aliases.sh
#!/bin/bash

# 01. discover the mount accessor for the userpass auth method
vault auth list \
    -format=json | jq -r '.["userpass/"].accessor' > accessor.txt
## e.g: auth_userpass_58c45e44

vault auth list -detailed
## => Output includes the accessor ID for each auth method enabled on your Vault server.
## => For example, if LDAP and Okta auth methods were enabled on your server, the output includes the accessor ID for those methods:

# 02. Create New entity
vault write -format=json identity/entity name="bob-smith" \
     policies="base" \
     metadata=organization="ACME Inc." \
     metadata=team="QA" \
     | jq -r ".data.id" > entity_id.txt

# 03. add user bob to the bob-smith entity by creating an entity alias:
vault write identity/entity-alias name="bob" \
     canonical_id=$(cat entity_id.txt) \
     mount_accessor=$(cat accessor.txt)

vault write identity/entity-alias name="bsmith" \
     canonical_id=$(cat entity_id.txt) \
     mount_accessor=$(cat accessor.txt)

# 04. Read entity details
vault read identity/entity/id/$(cat entity_id.txt)
## --- Json format
vault read -format=json identity/entity/id/$(cat entity_id.txt)

## 03-test-entity.sh
#!/bin/bash

# 01. login as bob:
vault login -method=userpass username=bob password=training
##-- ouput must show
#-----------------
# token_policies         ["default" "test"]
# identity_policies      ["base"]
# policies               ["base" "default" "test"]
#-----------------
# >  test policy is attached directly to the user
# >  base policy is inherited from his entity policies

# 02. Validate capability of test policy
vault kv put secret/test owner="bob"

# 03. check : Does current token has permissions on path ?
vault token capabilities secret/data/team/qa
###--> it does not have.
### team-qa policy must be attached to user (bob) or its entity in order to have access


## 04-create-internal-groups.sh
#!/bin/bash

## 00. Log back in with the root token:
vault login root

## 01. create new policy team-eng
cat > team-eng.hcl <<EOF
path "secret/data/team/eng" {
   capabilities = [ "create", "read", "update", "delete" ]
}
EOF
vault policy write team-eng team-eng.hcl

# 02. create an internal group named, engineers
# -- and add bob-smith entity as a group member.
# -- Also, assign the newly created team-eng policy to the group.

vault write -format=json identity/group name="engineers" \
      policies="team-eng" \
      member_entity_ids=$(cat entity_id.txt) \
      metadata=team="Engineering" \
      metadata=region="North America" \
      | jq -r ".data.id" > group_id.txt

# 03. Read details of Group
vault read identity/group/id/$(cat group_id.txt)

## 04-notes.md

      
    Raw
  

              04-notes.md
            
          
    By default, Vault creates an internal group.
When you create an internal group, you specify the group members, so you don't specify any group alias.
Group aliases are mapping between Vault and external identity providers (e.g. LDAP, GitHub, etc.).
Therefore, you define group aliases only when you create external groups.
For internal groups, you have member_entity_ids and/or member_group_ids instead.
example internal group creation

vault write -format=json identity/group name="engineers" \
      policies="team-eng" \
      member_entity_ids=$(cat entity_id.txt) \
      metadata=team="Engineering" \
      metadata=region="North America" \
      | jq -r ".data.id" > group_id.txt

  
## 05-test-internal-group.sh
#!/bin/bash

# 01. login with user
vault login -method=userpass username="bsmith" \
      password="training"
	#!/bin/bash

	# A user, Bob Smith at ACME Inc.
	# happened to have two sets of credentials: bob and bsmith.
	# To manage his accounts and link them to an identity Bob Smith,
	# you are going to create an entity for Bob.

	vault login root
	# 01. it should be github, ldap.
	# .. but for demo purpose userpass is enough
	vault auth enable userpass

	# 02.a new policy named base
	cat > base.hcl <<EOF

	path "secret/data/training*" {
	capabilities = ["create", "read", "update", "delete", "list"]
	}
	EOF
	# 02.b create the policy base
	vault policy write base base.hcl
	## validate: vault policy read base

	# 02.c more policies
	cat > test.hcl <<EOF
	path "secret/data/test" {
	capabilities = [ "create", "read", "update", "delete" ]
	}
	EOF

	cat > team-qa <<EOF
	path "secret/data/team/qa" {
	capabilities = [ "create", "read", "update", "delete" ]
	}
	EOF

	# 02.d create policies
	vault policy write test test.hcl
	vault policy write team-qa team-qa.hcl
	## validate: vault policy list

	###### 03. Create users ####

	# Create a new user in userpass backend:

	# username: bob
	# password: training
	# policy: test

	vault write auth/userpass/users/bob password="training" \
	policies="test"

	# Create another user in userpass backend:

	# username: bsmith
	# password: training
	# policy: team-qa

	vault write auth/userpass/users/bsmith password="training" \
	policies="team-qa"
	#!/bin/bash

	# 01. discover the mount accessor for the userpass auth method
	vault auth list \
	-format=json \| jq -r '.["userpass/"].accessor' > accessor.txt
	## e.g: auth_userpass_58c45e44

	vault auth list -detailed
	## => Output includes the accessor ID for each auth method enabled on your Vault server.
	## => For example, if LDAP and Okta auth methods were enabled on your server, the output includes the accessor ID for those methods:

	# 02. Create New entity
	vault write -format=json identity/entity name="bob-smith" \
	policies="base" \
	metadata=organization="ACME Inc." \
	metadata=team="QA" \
	\| jq -r ".data.id" > entity_id.txt

	# 03. add user bob to the bob-smith entity by creating an entity alias:
	vault write identity/entity-alias name="bob" \
	canonical_id=$(cat entity_id.txt) \
	mount_accessor=$(cat accessor.txt)

	vault write identity/entity-alias name="bsmith" \
	canonical_id=$(cat entity_id.txt) \
	mount_accessor=$(cat accessor.txt)

	# 04. Read entity details
	vault read identity/entity/id/$(cat entity_id.txt)
	## --- Json format
	vault read -format=json identity/entity/id/$(cat entity_id.txt)
	#!/bin/bash

	# 01. login as bob:
	vault login -method=userpass username=bob password=training
	##-- ouput must show
	#-----------------
	# token_policies ["default" "test"]
	# identity_policies ["base"]
	# policies ["base" "default" "test"]
	#-----------------
	# > test policy is attached directly to the user
	# > base policy is inherited from his entity policies

	# 02. Validate capability of test policy
	vault kv put secret/test owner="bob"

	# 03. check : Does current token has permissions on path ?
	vault token capabilities secret/data/team/qa
	###--> it does not have.
	### team-qa policy must be attached to user (bob) or its entity in order to have access
	#!/bin/bash

	## 00. Log back in with the root token:
	vault login root

	## 01. create new policy team-eng
	cat > team-eng.hcl <<EOF
	path "secret/data/team/eng" {
	capabilities = [ "create", "read", "update", "delete" ]
	}
	EOF
	vault policy write team-eng team-eng.hcl

	# 02. create an internal group named, engineers
	# -- and add bob-smith entity as a group member.
	# -- Also, assign the newly created team-eng policy to the group.

	vault write -format=json identity/group name="engineers" \
	policies="team-eng" \
	member_entity_ids=$(cat entity_id.txt) \
	metadata=team="Engineering" \
	metadata=region="North America" \
	\| jq -r ".data.id" > group_id.txt

	# 03. Read details of Group
	vault read identity/group/id/$(cat group_id.txt)
	#!/bin/bash

	# 01. login with user
	vault login -method=userpass username="bsmith" \
	password="training"