Entities, Aliases and Groups Lecture

00:00

Welcome back to Vault Access Management. This is going to be a lecture video. The next video. We're going to get it back in front of the terminal and put toe work what we learn here. But in this video, we're gonna cover the concepts such as introducing you to the Identity Secrets engine. We've talked about a lot of secrets. Tensions. We've worked with the user passed Secrets engine.

00:20

We have worked with the token Secrets engine.

00:23

Now we're gonna work with the identity secrets engine. Rose are gonna understand how you handle the situation when you have the same individual is actually authenticating using different accounts from different off systems. How do you deal with that problem? How do you

00:38

deal with internal and external groups and logically grouping individuals and giving those group memberships?

00:45

And finally, we'll talk about role of Simon inheritance and how vault determines which policies they're going to be applicable to your account once you've authenticated.

00:56

So, case of multiple identities. We have James Bond in the middle and he actually has to Loggins ones James dot bond. And the other is Jane J. Bond. Double 07 He uses one log in when he's talking to Amazon Web services, and he has a different log in when he's talking to Azar.

01:15

But it really is the same guy,

01:18

and he uses both Loggins to talk to. Vault logically is the same person, whether he's using James dot Bond or J. Bond double 07 This is where we bring in the concept of an entity involved.

01:30

So we create an entity called James Bond and then the individual Loggins get map to using aliases to that entity and its that entity that Vault recognizes. So it knows it is dealing with same individual, whether they're James dot bond or J Bond double 07

01:51

As with typical user management,

01:53

these entities get associated with one or more groups. You can have groups of groups and involved. There's really two categories of groups. There's internal groups,

02:02

and that is the default way that a group is set up. And in that circumstance, the membership to the group is managed and maintained with involved itself. On the flip side, there are external groups, so you're actually gonna create a group alias that points to an external off system,

02:20

and so this could be such as an L DAP system and get hub.

02:23

You have teams different teams defined and get up, and you want to manage the membership to those and control it external to vault. But you still want vault to be aware of the entities membership to these different groups so that it can apply the appropriate policies based on that group membership.

02:43

So let's bring it all together and talk a little bit about policy inheritance. Here's a fictitious tree. All of the G's represent a group.

02:52

The ease represent an entity, and the I DS represent those individual log in I. D. S. So you can see at the very bottom there's I d one. There's 82. They both roll up in points to the same entity. They're both aliases to the same entity. That entity

03:09

belongs to Group three g three. It also belongs to Group for G four,

03:15

and then G three is actually using the groups of groups capabilities with involved. G three belongs to a larger super group called G one Over on the far right, we have I d three and that as an alias for entity to that belongs to group for so what happens when you

03:31

log in with I the I d one or I d to

03:36

let's for sake of simplicity. Assume that every entity has a policy assigned to it. That is the same name. So he one entity want me to be to Every group also has a policy assigned to it, which is the same name as the group. And then every i d has a policy assigned to it. That is the same name

03:54

as Theo. I d.

03:57

Just for this example Sick. You probably wouldn't want to do this in the real world scenario. So what happens when you log in with I d one? What are the different policies that you're going to get? Course you're gonna get policy one.

04:09

Then you're going to get the policy e one g three, g one and G four. So it just crawls its way up to the top of the tree and you're gonna end up with 12345 different policies Associate ID With that authentication token

04:26

in this video, we went over the concepts off entities and aliases. We talked about using groups to manage the capabilities, assigning policies to groups, groups, of groups assigning entities have membership to one or more groups. And then we walked through the nuances of

04:44

how policies get assigned to the particular tokens

04:47

based on the I D that you authenticate with vault using