This learning track covers a fundamental but probably the most important concepts: authentication and authorization.
Vault policies provide a declarative way to grant or forbid access to certain paths and operations in Vault whether it is human users or machines requesting access to secrets. This is the authorization part.
Before a Vault client can interact with Vault, it must authenticate and acquire a token with policies attached defining what operations are permitted to the client.
Refer to some or all of the guides provided in this track to get you started.
The Vault Policies guide walks you through Vault policy creation. If you are not familiar with ACL policy authoring, this is a good place to start.
Vault Identities are utilized in multiple features (e.g. ACL Policy Templating, Control Groups, Namespaces, etc.). If you are not familiar with entities and groups, go through the Identity: Entities and Groups guide first.
Read the ACL Policy Path Templating guide to learn how you can construct policy paths that get evaluating at runtime based on the user's information.
The Sentinel Policies guide provides an introduction to writing policy as a code using Sentinel. (NOTE: Sentinel is available in Vault Enterprise.)
Read the Control Groups guide if you require additional authorization factors before processing requests. For example, a client can read customer information only if an account manager authorizes the request.
Token is the core authentication method in Vault. Read the Tokens guide to make sure that you fully understand the lifecycle of Vault tokens.
Read OIDC Auth Method guide if you wish to configure the OpenID Connect (OIDC) auth method for user authentication.
Refer to the AppRole Pull Authentication guide if you are interested in using the AppRole auth method as a login mechanism for your applications and services.
- The AppRole with Terraform & Chef guide provides an example for how to distribute the AppRole role ID and secret ID to the client application using Terraform and Chef.
Secure Introduction of Vault Clients discusses three approaches to solve the secret zero problem. This guide covers the concept.
The AppRole with Terraform & Chef guide demonstrates an example of the Trusted Orchestrator approach.
The Vault Agent with AWS guide demonstrates the combination of Vault Agent and Platform Integration which is AWS in this case.
The Vault Agent with Kubernetes guide demonstrates the combination of Vault Agent and Platform Integration where the trusted platform is your Kubernetes cluster.
The Vault Agent Templates guide demonstrates the Templates feature introduced in Vault 1.3 which allows the secrets to be rendered to a file using the Consul Template markup language.
The Vault Agent Caching guide demonstrates both auto-auth and caching mechanism of Vault Agent to make your application integration easier.