You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
One problem I encounter while using Vault is that when I configure an external authentication method such as OIDC or Kubernetes, every individual user who is authorized to use that authentication backend (such as users from my organization's OIDC provider or all service accounts in my Kubernetes cluster) is automatically granted access to Vault and an entity (along with an alias) is generated for them.
I would like to personally maintain a list of entities and their aliases through either an IaC or UI. When a user attempts to authenticate, Vault will first check the entity aliases for the user. If a corresponding alias and entity exist, the user will be authenticated and assigned a token, otherwise, the login gets rejected.
I can implement the required scenario and submit a pull request. The solution involves adding an option to each authentication backend tune to determine the dynamic creation of entities. However, I need to ensure that this behavior aligns with Vault's overall policies and is acceptable.
The text was updated successfully, but these errors were encountered:
Thank you for your response, @fairclothjm. However, the solution you provided does not fully meet my needs. It requires manual appending of entities to a long list of bound_claims or bound_service_account_names every time I add a new entity to my Vault, which is not very tidy. Ideally, I would like claims or service accounts to authenticate only if an entity and alias have already been created for them, as requested in issue #14989.
One problem I encounter while using Vault is that when I configure an external authentication method such as OIDC or Kubernetes, every individual user who is authorized to use that authentication backend (such as users from my organization's OIDC provider or all service accounts in my Kubernetes cluster) is automatically granted access to Vault and an entity (along with an alias) is generated for them.
I would like to personally maintain a list of entities and their aliases through either an IaC or UI. When a user attempts to authenticate, Vault will first check the entity aliases for the user. If a corresponding alias and entity exist, the user will be authenticated and assigned a token, otherwise, the login gets rejected.
I can implement the required scenario and submit a pull request. The solution involves adding an option to each authentication backend tune to determine the dynamic creation of entities. However, I need to ensure that this behavior aligns with Vault's overall policies and is acceptable.
The text was updated successfully, but these errors were encountered: