I wonder if someone could help clarify something for me.
In the description of entities, it says:
each entity is made up of zero or more aliases
I can also see from
vault lookup token <T> that a token contains a (possibly-empty)
entity_id. The token also contains a
display_name, but not an entity alias.
However, I can’t see how to issue a token for an entity that has no alias.
The API call to create token lets you specify an entity alias, but not an entity. AFAICS, it doesn’t let you specify the mountpoint that qualifies the entity alias either.
If I test it:
# creating a token with entity alias *must* use a role $ vault write auth/token/roles/foo allowed_entity_aliases='*' Success! Data written to: auth/token/roles/foo $ vault token create -ttl=12h -orphan -entity-alias=blah -role=foo Key Value --- ----- token s.bOKeoaeTG8WPKb2Wx2CvstdC token_accessor ejdDHJB3lUPs0NzPociY9Ayc token_duration 12h token_renewable true token_policies ["root"] identity_policies  policies ["root"] $ vault token lookup s.bOKeoaeTG8WPKb2Wx2CvstdC Key Value --- ----- accessor ejdDHJB3lUPs0NzPociY9Ayc creation_time 1643112516 creation_ttl 12h display_name token entity_id 47227f19-08dc-cbd4-a603-3fe88cd196c6 expire_time 2022-01-26T00:08:36.5314Z explicit_max_ttl 0s id s.bOKeoaeTG8WPKb2Wx2CvstdC issue_time 2022-01-25T12:08:36.531404Z meta <nil> num_uses 0 orphan false path auth/token/create/foo policies [root] renewable true role foo ttl 11h59m21s type service
It has created a new entity, and also an entity alias “blah” connected to that entity, under the “token” mountpoint accessor:
$ vault read identity/entity/id/47227f19-08dc-cbd4-a603-3fe88cd196c6 Key Value --- ----- aliases [map[canonical_id:47227f19-08dc-cbd4-a603-3fe88cd196c6 creation_time:2022-01-25T12:08:36.530852Z custom_metadata:<nil> id:8d21fa4c-e16d-0c5d-9762-986467b8930a last_update_time:2022-01-25T12:08:36.530852Z local:false merged_from_canonical_ids:<nil> metadata:<nil> mount_accessor:auth_token_eaeec7a1 mount_path:auth/token/ mount_type:token name:blah]] creation_time 2022-01-25T12:08:36.530847Z direct_group_ids  disabled false group_ids  id 47227f19-08dc-cbd4-a603-3fe88cd196c6 inherited_group_ids  last_update_time 2022-01-25T12:08:36.530847Z merged_entity_ids <nil> metadata <nil> name entity_0e0f38fd namespace_id root policies  $ vault read identity/entity-alias/id/8d21fa4c-e16d-0c5d-9762-986467b8930a Key Value --- ----- canonical_id 47227f19-08dc-cbd4-a603-3fe88cd196c6 creation_time 2022-01-25T12:08:36.530852Z custom_metadata <nil> id 8d21fa4c-e16d-0c5d-9762-986467b8930a last_update_time 2022-01-25T12:08:36.530852Z local false merged_from_canonical_ids <nil> metadata <nil> mount_accessor auth_token_eaeec7a1 mount_path auth/token/ mount_type token name blah namespace_id root $ vault auth list Path Type Accessor Description ---- ---- -------- ----------- token/ token auth_token_eaeec7a1 token based credentials userpass/ userpass auth_userpass_36422767 n/a
(I’m aware that this token has the root role - I’ve ignored that for simplicity)
So my questions are:
- Is it true that it’s not possible to issue a token for an entity without adding an alias to it?
- If so, why is that - given that the token itself doesn’t appear to remember which associated alias was used to authenticate? Or does it?
- In order to issue a token for a previously-created entity, is it up to me to create a named alias under the ‘token’ auth mountpoint explicitly? (Otherwise, it appears Vault will create a brand new entity)
- Could adding this alias have any unexpected side effects? e.g. does it open up a new way for someone to authenticate as this entity, apart from possessing the token I just generated?
What I’m actually trying to do is to issue a token for an entity, before any aliases have been attached to it, as part of an account setup/registration process. The token would be used as a temporary login until the alias has been attached. Maybe I’m going about this the wrong way, but I’d still like to understand a bit more about the relationship between entities, entity aliases, and tokens.
Thanks in advance,