I’m trying to understand how the Entity and Alias is different from an “approle auth backend role” as defined in Terraform Vault provider:
https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role
Whenever I create this backend role, along with a role_id and secret_id from it, I see that a new entity is created with an alias that matches the role_id. So is the backend role an alias?
What I want to do is create the entity and link it to the approle auth backend role, which seems to be an alias, however Vault will seemingly always create a new entity and alias regardless of the setup. I want to be able to apply policy to the entity and not the auth backend role tokens only…
I’m doing this in the context of Concourse CI:
resource "vault_auth_backend" "approle" {
type = "approle"
}
resource "vault_policy" "concourse" {
name = "vault_concourse_policy"
policy = data.vault_policy_document.concourse_secrets.hcl
}
resource "vault_approle_auth_backend_role" "concourse_backend_role" {
backend = vault_auth_backend.approle.path
role_name = "concourse-approle-auth"
token_policies = [
"vault_concourse_policy"
]
}
resource "vault_approle_auth_backend_role_secret_id" "concourse_secret_id" {
backend = vault_auth_backend.approle.path
role_name = vault_approle_auth_backend_role.concourse_backend_role.role_name
}
data "vault_approle_auth_backend_role_id" "concourse_approle_roleid_output" {
backend = vault_auth_backend.approle.path
role_name = vault_approle_auth_backend_role.concourse_backend_role.role_name
}
Thank you,
Alison