Authentication Method Question

Hello! I have Vault up and running, but now I am a bit confused as to how I should set it up to work with our environment. I would like to make it so that if you are authenticated via LDAP and you belong to a group then you have access to the secrets which that group is allowed to access (without having to supply credentials/tokens because the user is already authenticated in LDAP). Is something like this possible or am I barking up the wrong tree?

Some other info, in case there is a different approach I should be taking:
We have at least two different departments who would like to access their own secrets without giving them away to the other departments. We would like to commit code in Git that everyone can see, but only the people who have access can run and get to execute successfully. Thoughts?


To your first question, yes this is possible. You can create policies that gate access to different secrets, and then map LDAP groups to policies to grant a token with the correct permissions when the user logs in.

re: the second part, are you referring to an unrestricted program that will reach into Vault but should only be able to access certain secrets? The best way for the the app to authenticate Vault is highly dependent on your setup, but if a user it going to be in the loop anyway and you have LDAP set up, then LDAP auth is reasonable.