<img align=right src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=150>
<img src=images/acme.jpeg width=100 align=left>

# Identity: Entity and Groups
Vault client may have multiple accounts with various IdP that are enabled on the Vault server.  Vault clients can be mapped as **entities** and their corresponding accounts with authentication providers can be mapped as aliases.  In essence, each entity is made of zero or more aliases.
<img src=images/vault-identity-1.png width=600 align=left>

### Vault Setup

Prerequisities:
* Vault binary

Command to execute (in separate windows):
```
VAULT_UI=true VAULT_REDIRECT_ADDR=http://127.0.0.1:8200 vault server -log-level=trace -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8200 -dev-ha -dev-transactional
```

In [98]:
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_SKIP_VERIFY=true

In [99]:
vault --version

[0mVault v1.6.0 (7ce0bd9691998e0443bc77e98b1e2a4ab1e965d4)[0m


### Apply License (recommended)

In [100]:
export VAULT_TOKEN=root
curl \
    --insecure \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request PUT \
    --data @/Users/tio/Documents/vault_license.json \
    $VAULT_ADDR/v1/sys/license

In [101]:
curl -s \
    --insecure \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    $VAULT_ADDR/v1/sys/license  |jq ".data"
unset VAULT_TOKEN

[1;39m{
  [0m[34;1m"expiration_time"[0m[1;39m: [0m[0;32m"2022-01-21T00:00:00Z"[0m[1;39m,
  [0m[34;1m"features"[0m[1;39m: [0m[1;39m[
    [0;32m"HSM"[0m[1;39m,
    [0;32m"Performance Replication"[0m[1;39m,
    [0;32m"DR Replication"[0m[1;39m,
    [0;32m"MFA"[0m[1;39m,
    [0;32m"Sentinel"[0m[1;39m,
    [0;32m"Seal Wrapping"[0m[1;39m,
    [0;32m"Control Groups"[0m[1;39m,
    [0;32m"Performance Standby"[0m[1;39m,
    [0;32m"Namespaces"[0m[1;39m,
    [0;32m"KMIP"[0m[1;39m,
    [0;32m"Entropy Augmentation"[0m[1;39m,
    [0;32m"Transform Secrets Engine"[0m[1;39m,
    [0;32m"Lease Count Quotas"[0m[1;39m,
    [0;32m"Key Management Secrets Engine"[0m[1;39m,
    [0;32m"Automated Snapshots"[0m[1;39m
  [1;39m][0m[1;39m,
  [0m[34;1m"license_id"[0m[1;39m: [0m[0;32m"8b210a93-071b-6ce3-3705-961c0f9d04a2"[0m[1;39m,
  [0m[34;1m"performance_standby_count"[0m[1;39m: [0m[0;39m9999[0m[1;39m,
  [0m[34;1m"start_time"[0m[1;39m: 

In [102]:
vault status

[0mKey             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.6.1+ent
Storage Type    inmem_transactional_ha
Cluster Name    vault-cluster-a11da3e7
Cluster ID      bf586051-bfc0-e788-246e-1c15945be4e7
HA Enabled      true
HA Cluster      https://127.0.0.1:8201
HA Mode         active
Last WAL        34[0m


In [14]:
unset VAULT_TOKEN
vault login root

[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                  Value
---                  -----
token                root
token_accessor       GoC4rFnEV9ZPLsymXDgliL6k
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"][0m


**Note:** the Initialized and Sealed status above.

In [103]:

vault auth enable userpass

vault policy write base - <<"EOF"
path "secret/data/training" {
   capabilities = [ "create", "read"]
}
EOF

vault policy write team-qa - <<"EOF"
path "secret/data/team/qa" {
   capabilities = [ "create", "read", "delete" ]
}
EOF

vault policy write test - <<"EOF"
path "secret/data/test" {
   capabilities = [ "create", "read", "update", "delete" ]
}
EOF

vault policy write team-eng - <<"EOF"
path "secret/data/team/eng" { 
   capabilities = [ "create", "read", "update", "delete" ]
} 
EOF


[0mSuccess! Enabled userpass auth method at: userpass/[0m
[0mSuccess! Uploaded policy: base[0m
[0mSuccess! Uploaded policy: team-qa[0m
[0mSuccess! Uploaded policy: test[0m
[0mSuccess! Uploaded policy: team-eng[0m


### Create Users
<img src="images/vault-entity-1.png">

Create two users (entity aliases) each having a different policy.

In [71]:
vault write auth/userpass/users/bob password="training" policies="test"

[0mSuccess! Data written to: auth/userpass/users/bob[0m


In [72]:
vault write auth/userpass/users/bsmith password="training" policies="team-qa"

[0mSuccess! Data written to: auth/userpass/users/bsmith[0m


In [73]:
vault auth list
ACCESSOR=$(vault auth list -format=json | jq -r '.["userpass/"].accessor')
echo "\nuserpass/ accessor is $ACCESSOR"

[0mPath         Type        Accessor                  Description
----         ----        --------                  -----------
token/       token       auth_token_b18ddeff       token based credentials
userpass/    userpass    auth_userpass_1d445a31    n/a[0m

userpass/ accessor is auth_userpass_1d445a31


### Create an Entity

In [74]:
vault write -format=json identity/entity name="bob-smith" policies="base" \
   metadata=organization="ACME Inc." metadata=team="QA" | tee /tmp/bob-smith-entity.json

{
  "request_id": "9a50b774-573e-f727-47a2-31ea7afa0715",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "aliases": null,
    "id": "5f9a65a7-6bb6-3a37-35ae-972041903ad6",
    "name": "bob-smith"
  },
}


In [75]:
cat /tmp/bob-smith-entity.json | jq -r ".data.id" > /tmp/bob-smith-entity_id.txt
cat /tmp/bob-smith-entity_id.txt

5f9a65a7-6bb6-3a37-35ae-972041903ad6


### Create Aliases for the Entity

In [76]:
vault write identity/entity-alias name="bob" canonical_id=$(cat /tmp/bob-smith-entity_id.txt) mount_accessor=$ACCESSOR

[0mKey             Value
---             -----
canonical_id    5f9a65a7-6bb6-3a37-35ae-972041903ad6
id              1eb77f84-0bbe-9fc0-8235-3bfcb61ba7b2[0m


In [77]:
vault write identity/entity-alias name="bsmith" canonical_id=$(cat /tmp/bob-smith-entity_id.txt) mount_accessor=$ACCESSOR

[0mKey             Value
---             -----
canonical_id    5f9a65a7-6bb6-3a37-35ae-972041903ad6
id              15fce562-eb69-8b46-6da3-ea1b52955858[0m


In [78]:
vault list identity/entity/id

[0mKeys
----
5f9a65a7-6bb6-3a37-35ae-972041903ad6[0m


**Check Entity's aliases**

In [80]:
vault read identity/entity/id/$(cat /tmp/bob-smith-entity_id.txt) -format=json

{
  "request_id": "740adf98-4384-654c-b770-d3829eb03ed2",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "aliases": [
      {
        "canonical_id": "5f9a65a7-6bb6-3a37-35ae-972041903ad6",
        "creation_time": "2020-12-28T08:25:55.429917Z",
        "id": "1eb77f84-0bbe-9fc0-8235-3bfcb61ba7b2",
        "last_update_time": "2020-12-28T08:25:55.429917Z",
        "merged_from_canonical_ids": null,
        "metadata": null,
        "mount_accessor": "auth_userpass_1d445a31",
        "mount_path": "auth/userpass/",
        "mount_type": "userpass",
        "name": "bob"
      },
      {
        "canonical_id": "5f9a65a7-6bb6-3a37-35ae-972041903ad6",
        "creation_time": "2020-12-28T08:25:57.726381Z",
        "id": "15fce562-eb69-8b46-6da3-ea1b52955858",
        "last_update_time": "2020-12-28T08:25:57.726381Z",
        "merged_from_canonical_ids": null,
        "metadata": null,
        "mount_accessor": "auth_userpass_1d445a31",
        "mount_path":

**Note:** Alternatively, launch Vault UI http://localhost:8200/ui and go to **ACCESS > Entities** followed by **Aliases**

### Test the Entity
Understand how a token inherits the capabilities from entity's policy.

In [91]:
vault login -method=userpass username=bob password=training

[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                    Value
---                    -----
token                  s.NyMlmsHBCEthCTqyMro2HVeG
token_accessor         5nX52z58L05t2uZVNbf8LEl2
token_duration         768h
token_renewable        true
token_policies         ["default" "test"]
identity_policies      ["base"]
policies               ["base" "default" "test"]
token_meta_username    bob[0m


**Note:**  
* the token generated has `default` and `test` policies attached (`token_policies`)
* because `bob` is a member of `bob-smith` entity, he inherited `base` policy  (`identity_policies`)
* therefore `bob` is permitted to perform operations allowed by `base`, `test` and `default` policies

### Test Policies
`test` policy grants CRUD on `secret/data/test` path.

In [92]:
vault kv put secret/test owner="bob"

[0mKey              Value
---              -----
created_time     2020-12-28T08:30:51.257633Z
deletion_time    n/a
destroyed        false
version          3[0m


In [93]:
vault kv get secret/test

[0mKey              Value
---              -----
created_time     2020-12-28T08:30:51.257633Z
deletion_time    n/a
destroyed        false
version          3[0m
[0m[0m
[0m==== Data ====[0m
[0mKey      Value
---      -----
owner    bob[0m


**Note:** Although `bob` and `bsmith` belong to the same person, allowed permissions may differ depending on the authentication account he uses to login.

In [98]:
vault token capabilities secret/data/team/qa`

[0mdeny[0m


### Create an Internal Group
<img src="images/vault-identity-2.png" width=500>

In [None]:
vault login root

In [104]:
vault policy read team-eng

[0mpath "secret/data/team/eng" { 
   capabilities = [ "create", "read", "update", "delete" ]
}[0m


In [111]:
vault write -format=json identity/group name="engineers2" policies="team-eng" \
   member_entity_ids=$(cat /tmp/bob-smith-entity_id.txt) \
   metadata=team="Engineering" metadata=region="North America" | tee /tmp/engineers.json

{
  "request_id": "bc0813c3-8aae-aa35-f87c-18a78a6459be",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "id": "31eb4406-4f54-2ede-fd34-df97a8582ebf",
    "name": "engineers2"
  },
}


In [112]:
cat /tmp/engineers.json | jq -r ".data.id" > /tmp/engineers-group_id.txt
cat /tmp/engineers-group_id.txt

31eb4406-4f54-2ede-fd34-df97a8582ebf


**List existing groups by IDs**

In [113]:
vault list identity/group/id

[0mKeys
----
0c9cc927-a259-60e9-7808-f872269e9dd9
31eb4406-4f54-2ede-fd34-df97a8582ebf
9041080e-b06e-68f9-f6b1-4419962f57e8[0m


**List existing groups by Name**

In [114]:
vault list identity/group/name

[0mKeys
----
engineers
engineers1
engineers2[0m


In [116]:
vault read identity/group/name/engineers

[0mKey                  Value
---                  -----
alias                map[]
creation_time        2020-12-28T08:48:40.763495Z
id                   31eb4406-4f54-2ede-fd34-df97a8582ebf
last_update_time     2020-12-28T08:48:40.763495Z
member_entity_ids    [5f9a65a7-6bb6-3a37-35ae-972041903ad6]
member_group_ids     <nil>
metadata             map[region:North America team:Engineering]
modify_index         1
name                 engineers2
namespace_id         root
parent_group_ids     <nil>
policies             [team-eng]
type                 internal[0m


**Note:** by default, Vault creates an **internal group**. When you create an internal group, you specify the group members.  You do not specify any group alias.  Group aliases are mapping between Vault and external IdP (e.g. LDAP, GitHub, etc.).
Therefore, you define group aliases only when you create **external groups**.  For internal groups, you have `member_entity_ids` and/or `member_group_ids` instead.

### Test the Group
Let's understand how a token inherits capabilities from its associating group.

In [118]:
unset VAULT_TOKEN
vault login -method=userpass username="bsmith" password="training"

[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                    Value
---                    -----
token                  s.UemBfgkXhAJFmC9FDY24mETM
token_accessor         FJkPBp41zEi1Gtmwrgk2WfUl
token_duration         768h
token_renewable        true
token_policies         ["default" "team-qa"]
identity_policies      ["base" "team-eng"]
policies               ["base" "default" "team-eng" "team-qa"]
token_meta_username    bsmith[0m


**Note:**  
* the token generated has `default` and `team-qa` policies attached (`token_policies`)
* because `bsmith` is a member of `bob-smith` entity, he inherited `base` policy  (`identity_policies`)
* because `bsmith` is a member of `team-qa` group, he inherited `team-qa` policy
* therefore `bsmith` is permitted to perform operations allowed by `base`, `default`, `team-eng`, and `team-qa` policies

In [120]:
vault token capabilities secret/data/team/qa

[0mcreate, delete, read[0m


**Note:** do the same for
```
1. secret/data/training_test
2. secret/data/team/qa
3. secret/data/team/eng
4. secret/data/test
```

### Create External Group and Group Alias
Test your Github token:
```
curl -H "Authorization: token <your_github_token>" https://api.github.com/user/teams
```


In [104]:
vault login root > /dev/null

vault policy write education - <<"EOF"
path "secret/data/education" {
   capabilities = [ "create", "read", "update", "delete" , "list"]
}
EOF


[0mSuccess! Uploaded policy: education[0m


### Github Auth

In [78]:
vault login root

[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                  Value
---                  -----
token                root
token_accessor       smRm96RSjMkLynY89s3aE3ox
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"][0m


In [95]:
vault auth enable github

[91mError enabling github auth: Error making API request.

URL: POST http://127.0.0.1:8200/v1/sys/auth/github
Code: 400. Errors:

* path is already in use at github/[0m


In [96]:
vault write auth/github/config organization=hashicorp

[0mSuccess! Data written to: auth/github/config[0m


In [97]:
vault auth list
GITHUB_ACCESSOR=$(vault auth list -format=json | jq -r '.["github/"].accessor')
echo "\ngithub accessor is $GITHUB_ACCESSOR"

[0mPath         Type        Accessor                  Description
----         ----        --------                  -----------
github/      github      auth_github_0a93fa6c      n/a
token/       token       auth_token_cb0918e8       token based credentials
userpass/    userpass    auth_userpass_b0c7930b    n/a[0m

github accessor is auth_github_0a93fa6c


### Create External Group

In [90]:
vault write identity/group name="team-se" -format=json \
  type=external \
  policies="education" | tee /tmp/education.json
  

[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                  Value
---                  -----
token                root
token_accessor       smRm96RSjMkLynY89s3aE3ox
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"][0m
{
  "request_id": "448fb980-8220-872d-b153-94e0794c35dc",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "id": "95756b1e-445a-61f8-5243-4289c1916627",
    "name": "team-se"
  },
}


In [91]:

EDU_GROUP_ID=$(cat /tmp/education.json | jq -r ".data.id" )
echo $EDU_GROUP_ID

95756b1e-445a-61f8-5243-4289c1916627


### Create Group Alias

In [92]:
vault login root > /dev/null
vault write identity/group-alias name="team-se" \
  mount_accessor=$GITHUB_ACCESSOR \
  canonical_id=$EDU_GROUP_ID

[0mKey             Value
---             -----
canonical_id    95756b1e-445a-61f8-5243-4289c1916627
id              080c68e5-7437-2b53-8957-e8f3a5ca7ddb[0m


In [23]:
curl -H "Authorization: token 3f235bd7c923cebdbd77b3d87df6dde76a7f0034" https://api.github.com/user/teams

[
  {
    "name": "core",
    "id": 275320,
    "node_id": "MDQ6VGVhbTI3NTMyMA==",
    "slug": "core",
    "description": "",
    "privacy": "secret",
    "url": "https://api.github.com/organizations/761456/team/275320",
    "html_url": "https://github.com/orgs/hashicorp/teams/core",
    "members_url": "https://api.github.com/organizations/761456/team/275320/members{/member}",
    "repositories_url": "https://api.github.com/organizations/761456/team/275320/repos",
    "permission": "pull",
    "created_at": "2012-11-01T04:26:46Z",
    "updated_at": "2016-04-12T12:27:36Z",
    "members_count": 678,
    "repos_count": 620,
    "organization": {
      "login": "hashicorp",
      "id": 761456,
      "node_id": "MDEyOk9yZ2FuaXphdGlvbjc2MTQ1Ng==",
      "url": "https://api.github.com/orgs/hashicorp",
      "repos_url": "https://api.github.com/orgs/hashicorp/repos",
      "events_url": "https://api.github.com/orgs/hashicorp/events",
      "hooks_url": "https://api.github.com/orgs/hashicorp/ho

In [43]:
vault login root
vault write auth/github/config organization=hashicorp

[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                  Value
---                  -----
token                root
token_accessor       GoC4rFnEV9ZPLsymXDgliL6k
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"][0m
[0mSuccess! Data written to: auth/github/config[0m


In [106]:

vault login -method=github token="3f235bd7c923cebdbd77b3d87df6dde76a7f0034"

[91mError authenticating: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/github/login
Code: 400. Errors:

* missing client token[0m


**Note:** I belong to `team-se` in GitHub and therefore to external group `team-se` which inherit `education` policy.  Therefore I can modify secret/data/education and nothing else.

In [94]:
vault login root 
vault read identity/group/name/team-se -format=json

[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                  Value
---                  -----
token                root
token_accessor       smRm96RSjMkLynY89s3aE3ox
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"][0m
{
  "request_id": "6846e9c9-d292-724d-bc35-3a0fe20fe1f7",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "alias": {
      "canonical_id": "95756b1e-445a-61f8-5243-4289c1916627",
      "creation_time": "2020-12-29T02:12:23.685259Z",
      "id": "080c68e5-7437-2b53-8957-e8f3a5ca7ddb",
      "last_update_time": "2020-12-29T02:12:23.6853Z",
      "merged_from_canonical_ids": null,
      "metadata": null,
      "mount_accessor": "auth_github_0a93fa6c",
      "mount_path": "auth

### License Vault

In [57]:
vault token capabilities secret/data/training

[0mdeny[0m


In [59]:
vault token capabilities secret/data/education

[0mcreate, delete, list, read, update[0m


&nbsp;

---
#### Thank you.
<img src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=100 align="left">