Use LDAP username as the entity name
I'm using Hashicorp Vault 1.9.0 and I enabled the LDAP authentication method which is working correctly as expected, but I have an issue:
The LDAP is our unique authentication method (besides the Token one, of course) and the LDAP users were NOT created in Vault in advance. So, when some user signs in to Vault for the first time, Vault creates the user entity automatically, with a generic name like, for example, "entity_1fb81714" and adds the LDAP username as an alias for the entity. This is working pretty well (but could be better). Is there a way to configure Vault to use the LDAP username (the same used in the alias) to be the entity name, instead of the generic "entity_xxx" one?
Entity name:
Entity alias:
It can be done, but you might give up when you see the maintenance involved...
So you have an entity with a random name, "inside" which there is a entity-alias with the sAMAccountName attribute of a given user.
Background
Entity creation is not done by the ldap auth backend. An entity will be created if Vault can't find an existing entity with a matching entity alias.
So basically it does this:
- Try to find an existing entity with that alias in it
- Create a new entity if none is found
The problem is that Vault can't use the entity alias attribute value as a name, because you can have multiple entity alias for any given entity. Other auth backends (like Github) could have a different entity alias attribute. Vault is not in position to decide which one it should use so a random name is chosen.
It can be done
To have predictable names for your entities, you would have to create the entity with the name of your choice and the alias in advance, so that it is present when the user first logs in and Vault goes looking for it.
I would suggest that you learn to live with random names for three reasons:
- Management
- Race conditions
- License cost
Management
You will have to poll your Active Directory for changes and create/delete entity alias as users come and go. Keep in mind that Vault will not validate the entity alias is valid, that's your job. Not a complex piece of code, but it won't write and maintain itself and you probably have better things to do.
Race conditions
Even with a synchronisation mechanism in place, there is still a change a user logs in Vault between two passes of your script. That user will get a random entity name. You script could account for that and fix it on the next run, but it will make your synchronization code more complex.
Licenses
Vault Enterprise is licensed per entity. Creating an entity alias for everyone in your Active Directory could get expensive. Your script could account for that too, creating entity alias for members of a given group only, but... you get the idea.
You might were this is going: if you want to control the entity name
- AWX + Hashicorp Vault django.request Bad Request
- Why does HVAC does not see secrets in HashiCorp Vault?
- HashiCorp Vault 403 Permission Denied issue with Kubernetes Auth
- Unable to get airflow variables in dags from Vault secret backend
- Hashicorp vault - export key from one vault, import into another vault
- HashiCorp Vault to populate kubernetes secrets
- HASHICORP VAULT: How to read multiple items from a file and write them to Vault
- Hashicorp vault how to list all roles
- access property of an object using hash-vault-js
- Vault secrets list permission denied
- How can I encrypt data with an already generated AES 256 GCM 96 key (coming from Hashicorp Vault)?
- Access Denied on vault secrets
- hashicorp vault agent template fails when starts with "no known secret ID"
- Create a Vault UI user using the vault CLI
- Vault does not return token renewed by script
- Getting permission denied error while trying to access any vault secret engines using Spring boot application on kubernetes
- Environment variables concatenation issue with Vault agent-jnject in Kubernetes deployment
- Vault secret fetch using hvac python fails with TypeError where Type of response is <class 'requests.models.Response'>
- Detect when a secret changes in Hashicorp Vault
- My Vault policies does not allow me to create/update/delete secrets
- Vault scaling using Consul
- Hashicorp Vault cli return 403 when trying to use kv
- Cannot install Hashicorp vault in LinuxMint 21.3 : The repository does not have a Release file
- HashiCorp Transit Engine, what permission are required to read the public key?
- Vault Agent Injector - Use init container only (disable sidecar)
- How to call Hashicorp Vault from AWS Lambda in NodeJS with IAM Authentication
- How to use values in Vault annotation content in Helm Chart
- What is the difference between a HashiCorp Vault lease and token accessor?
- Is there a way to allow a user to change it's own password on Hashicorp's Vault UI
- Injecting secrets into Kubernetes pods via Vault Agent containers