Update app-id docs to use new endpoint
This commit is contained in:
Jeff Mitchell
parent
d648306d52
commit
a798bdb822
|
|
@ -10,65 +10,63 @@ description: |-
|
||||||
|
|
||||||
Name: `app-id`
|
Name: `app-id`
|
||||||
|
|
||||||
The App ID auth backend is a mechanism for machines to authenticate with
|
The App ID auth backend is a mechanism for machines to authenticate with Vault.
|
||||||
Vault. It works by requiring two hard-to-guess unique pieces of information:
|
It works by requiring two hard-to-guess unique pieces of information: a unique
|
||||||
a unique app ID, and a unique user ID.
|
app ID, and a unique user ID.
|
||||||
|
|
||||||
The goal of this credential provider is to allow elastic users
|
The goal of this credential provider is to allow elastic users (dynamic
|
||||||
(dynamic machines, containers, etc.) to authenticate with Vault without
|
machines, containers, etc.) to authenticate with Vault without having to store
|
||||||
having to store passwords outside of Vault. It is a single method of
|
passwords outside of Vault. It is a single method of solving the
|
||||||
solving the chicken-and-egg problem of setting up Vault access on a machine.
|
chicken-and-egg problem of setting up Vault access on a machine. With this
|
||||||
With this provider, nobody except the machine itself has access to both
|
provider, nobody except the machine itself has access to both pieces of
|
||||||
pieces of information necessary to authenticate. For example:
|
information necessary to authenticate. For example: configuration management
|
||||||
configuration management will have the app IDs, but the machine itself
|
will have the app IDs, but the machine itself will detect its user ID based on
|
||||||
will detect its user ID based on some unique machine property such as a
|
some unique machine property such as a MAC address (or a hash of it with some
|
||||||
MAC address (or a hash of it with some salt).
|
salt).
|
||||||
|
|
||||||
An example, real world process for using this provider:
|
An example, real world process for using this provider:
|
||||||
|
|
||||||
1. Create unique app IDs (UUIDs work well) and map them to policies.
|
1. Create unique app IDs (UUIDs work well) and map them to policies. (Path:
|
||||||
(Path: map/app-id/<app-id>)
|
map/app-id/<app-id>)
|
||||||
|
|
||||||
2. Store the app IDs within configuration management systems.
|
2. Store the app IDs within configuration management systems.
|
||||||
|
|
||||||
3. An out-of-band process run by security operators map unique user IDs
|
3. An out-of-band process run by security operators map unique user IDs to
|
||||||
to these app IDs. Example: when an instance is launched, a cloud-init
|
these app IDs. Example: when an instance is launched, a cloud-init system
|
||||||
system tells security operators a unique ID for this machine. This
|
tells security operators a unique ID for this machine. This process can be
|
||||||
process can be scripted, but the key is that it is out-of-band and
|
scripted, but the key is that it is out-of-band and out of reach of
|
||||||
out of reach of configuration management.
|
configuration management. (Path: map/user-id/<user-id>)
|
||||||
(Path: map/user-id/<user-id>)
|
|
||||||
|
|
||||||
4. A new server is provisioned. Configuration management configures the
|
4. A new server is provisioned. Configuration management configures the app
|
||||||
app ID, the server itself detects its user ID. With both of these
|
ID, the server itself detects its user ID. With both of these pieces of
|
||||||
pieces of information, Vault can be accessed according to the policy
|
information, Vault can be accessed according to the policy set by the app
|
||||||
set by the app ID.
|
ID.
|
||||||
|
|
||||||
More details on this process follow:
|
More details on this process follow:
|
||||||
|
|
||||||
The app ID is a unique ID that maps to a set of policies. This ID is
|
The app ID is a unique ID that maps to a set of policies. This ID is generated
|
||||||
generated by an operator and configured into the backend. The ID itself
|
by an operator and configured into the backend. The ID itself is usually a
|
||||||
is usually a UUID, but any hard-to-guess unique value can be used.
|
UUID, but any hard-to-guess unique value can be used.
|
||||||
|
|
||||||
After creating app IDs, an operator authorizes a fixed set of user IDs
|
After creating app IDs, an operator authorizes a fixed set of user IDs with
|
||||||
with each app ID. When a valid {app ID, user ID} tuple is given to the
|
each app ID. When a valid {app ID, user ID} tuple is given to the "login" path,
|
||||||
"login" path, then the user is authenticated with the configured app
|
then the user is authenticated with the configured app ID policies.
|
||||||
ID policies.
|
|
||||||
|
|
||||||
The user ID can be any value (just like the app ID), however it is
|
The user ID can be any value (just like the app ID), however it is generally a
|
||||||
generally a value unique to a machine, such as a MAC address or instance ID,
|
value unique to a machine, such as a MAC address or instance ID, or a value
|
||||||
or a value hashed from these unique values.
|
hashed from these unique values.
|
||||||
|
|
||||||
|
|
||||||
## Authentication
|
## Authentication
|
||||||
|
|
||||||
#### Via the CLI
|
#### Via the CLI
|
||||||
|
|
||||||
App ID authentication is not allowed via the CLI.
|
Use `vault write`, for example: `vault write auth/app-id/login/[app-id] user_id=[user-id]`
|
||||||
|
|
||||||
#### Via the API
|
#### Via the API
|
||||||
|
|
||||||
The endpoint for the App ID login is `auth/app-id/login`. The client is expected
|
The endpoint for the App ID login is `auth/app-id/login/[app_id]`. The client is expected
|
||||||
to provide the `app_id` and `user_id` parameters as part of the request.
|
to provide the `user_id` parameter as part of the request.
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue