vault/website/source/docs/secrets/identity/index.html.md

42 lines
1.8 KiB
Markdown
Raw Normal View History

2017-07-25 18:33:17 -04:00
---
layout: "docs"
page_title: "Identity - Secrets Engines"
2017-07-25 18:33:17 -04:00
sidebar_current: "docs-secrets-identity"
description: |-
The Identity secrets engine for Vault manages client identities.
2017-07-25 18:33:17 -04:00
---
# Identity Secrets Engine
2017-07-25 18:33:17 -04:00
Name: `identity`
The Identity secrets engine is the identity management solution for Vault. It
2017-07-25 18:33:17 -04:00
internally maintains the clients who are recognized by Vault. Each client is
2017-11-03 11:17:59 -04:00
internally termed as an `Entity`. An entity can have multiple `Aliases`. For
2017-07-25 18:33:17 -04:00
example, a single user who has accounts in both Github and LDAP, can be mapped
2017-11-03 11:17:59 -04:00
to a single entity in Vault that has 2 aliases, one of type Github and one of
2017-07-25 18:33:17 -04:00
type LDAP. When a client authenticates via any of the credential backend
(except the Token backend), Vault creates a new entity and attaches a new
alias to it, if a corresponding entity doesn't already exist. The entity identifier will
be tied to the authenticated token. When such tokens are put to use, their
2017-07-25 18:33:17 -04:00
entity identifiers are audit logged, marking a trail of actions performed by
specific users.
Identity store allows operators to **manage** the entities in Vault. Entities
2017-11-03 11:17:59 -04:00
can be created and aliases can be tied to entities, via the ACL'd API. There
2017-07-25 18:33:17 -04:00
can be policies set on the entities which adds capabilities to the tokens that
are tied to entity identifiers. The capabilities granted to tokens via the
2017-07-25 18:33:17 -04:00
entities are **an addition** to the existing capabilities of the token and
**not** a replacement. The capabilities of the token that get inherited from
entities are computed dynamically at request time. This provides flexibility in
controlling the access of tokens that are already issued.
2017-07-25 18:33:17 -04:00
This secrets engine will be mounted by default. This secrets engine cannot be
2017-09-21 17:14:40 -04:00
disabled or moved.
2017-07-25 18:33:17 -04:00
## API
The Identity secrets engine has a full HTTP API. Please see the
[Identity secrets engine API](/api/secret/identity/index.html) for more
2017-07-25 18:33:17 -04:00
details.