Customize the automatic creation of entities based on auth backend tune #23602
Comments
|
@abexamir Hello! This should already be possible today with bound_claims and bound_service_account_names for OIDC Auth and Kubernetes Auth respectively. Please let us know if these do not work for your use case. Thanks! |
|
Thank you for your response, @fairclothjm. However, the solution you provided does not fully meet my needs. It requires manual appending of entities to a long list of bound_claims or bound_service_account_names every time I add a new entity to my Vault, which is not very tidy. Ideally, I would like claims or service accounts to authenticate only if an entity and alias have already been created for them, as requested in issue #14989. |
|
Certainly. Could you please provide an update on #14989? It would be helpful for everyone to stay informed. Thank you. |
One problem I encounter while using Vault is that when I configure an external authentication method such as OIDC or Kubernetes, every individual user who is authorized to use that authentication backend (such as users from my organization's OIDC provider or all service accounts in my Kubernetes cluster) is automatically granted access to Vault and an entity (along with an alias) is generated for them.
I would like to personally maintain a list of entities and their aliases through either an IaC or UI. When a user attempts to authenticate, Vault will first check the entity aliases for the user. If a corresponding alias and entity exist, the user will be authenticated and assigned a token, otherwise, the login gets rejected.
I can implement the required scenario and submit a pull request. The solution involves adding an option to each authentication backend tune to determine the dynamic creation of entities. However, I need to ensure that this behavior aligns with Vault's overall policies and is acceptable.
The text was updated successfully, but these errors were encountered: