Use case: I’d like to be able to invite specific individuals to my Vault system. I can assume that those users have an account on a well-known IDP (e.g. Google/Gmail or Github) that they can use to authenticate.
In an ideal world I’d just create an entity with an entity alias in advance, and that would be it. Unfortunately, I have no idea what the entity alias will be. For example, with Google, the “sub” claim is just a very long integer account ID. Even the user probably doesn’t know their own account ID.
I could instead just wait for them to connect the first time. The documentation says:
When a client authenticates via any of the credential backend (except the Token backend), Vault creates a new entity and attaches a new alias to it, if a corresponding entity doesn’t already exist.
That indeed works as described, but there are two problems with this:
- It allows random users on the Internet (who have Gmail accounts) to connect and create entities. Whilst those won’t have any authorization data associated with them - e.g. they won’t be in any groups - it’s still annoying.
- I have to fish through these auto-created entities, and find the one which belongs to the user that I invited, so that I can add authorization data to that entity. I have to convince myself that I’m authorizing the right one, and not some random bod on the Internet.
I was wondering about how this flow could be handled automatically. If there’s some existing mechanism which can do this, I’d really like to know it.
Otherwise, I think an ideal flow would work something like this:
- I create an entity in Vault, and add appropriate authorization (e.g. groups and metadata). At this point it has no aliases.
- I send a special token in an E-mail, to the E-mail address I know belongs to the user I want to invite.
- The user somehow combines this token with an OpenID login to Vault, such that when they login, it creates an alias attached to the entity referred to in the token, instead of creating an alias to a new entity.
- I’d also like to disable the automatic creation of new entities completely, so that entities have to be pre-created, and random users trying to login don’t create new entities.
Vault has multiple facilities for creating tokens (wrapped and unwrapped). Such a token could be used to authenticate temporarily as that particular user, and the user could have a policy which allows them to add their own entity alias. However, I still can’t see how the user would know their own alias ID. I’d like to combine this with the act of them authenticating to Vault, so that as I said before, it would attach their newly-detected alias to the existing entity.
Another option might be to merge the entity which I created manually, with the entity created dynamically by their OIDC login. However I can’t see how you could make a policy to allow the client to merge entity A with entity B, if the client can authenticate to Vault either as A or B. As far as I can see, the policy permits /identity/entity/merge
for all entities, or not at all.
Any ideas or clues? Thanks!