Access Management

Introduction

This learning track covers a fundamental but probably the most important concepts: authentication and authorization.

Vault policies provide a declarative way to grant or forbid access to certain paths and operations in Vault whether it is human users or machines requesting access to secrets. This is the authorization part.

Before a Vault client can interact with Vault, it must authenticate and acquire a token with policies attached defining what operations are permitted to the client.

Learning Path

Refer to some or all of the guides provided in this track to get you started.

Authorization

  • The Vault Policies guide walks you through Vault policy creation. If you are not familiar with ACL policy authoring, this is a good place to start.

  • Vault Identities are utilized in multiple features (e.g. ACL Policy Templating, Control Groups, Namespaces, etc.). If you are not familiar with entities and groups, go through the Identity: Entities and Groups guide first.

  • Read the ACL Policy Path Templating guide to learn how you can construct policy paths that get evaluating at runtime based on the user's information.

  • The Sentinel Policies guide provides an introduction to writing policy as a code using Sentinel. (NOTE: Sentinel is available in Vault Enterprise.)

  • Read the Control Groups guide if you require additional authorization factors before processing requests. For example, a client can read customer information only if an account manager authorizes the request.

Authentication