luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/content/docs/secrets/identity/index.mdx
Ashlee M Boyer f3df55ad58
docs: Migrate link formats (#18696) 
* Adding check-legacy-links-format workflow

* Adding test-link-rewrites workflow

* Updating docs-content-check-legacy-links-format hash

* Migrating links to new format

Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com>
2023-01-25 16:12:15 -08:00

51 lines
2.3 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: Identity - Secrets Engines
description: The Identity secrets engine for Vault manages client identities.
---
# Identity Secrets Engine
Name: `identity`
The Identity secrets engine is the identity management solution for Vault. It
internally maintains the clients who are recognized by Vault. Each client is
internally termed as an `Entity`. An entity can have multiple `Aliases`. For
example, a single user who has accounts in both GitHub and LDAP, can be mapped
to a single entity in Vault that has 2 aliases, one of type GitHub and one of
type LDAP. When a client authenticates via any of the credential backends
(except the Token backend), Vault creates a new entity and attaches a new
alias to it, if a corresponding entity doesn't already exist. The entity identifier will
be tied to the authenticated token. When such tokens are put to use, their
entity identifiers are audit logged, marking a trail of actions performed by
specific users.
Identity store allows operators to **manage** the entities in Vault. Entities
can be created and aliases can be tied to entities, via the ACL'd API. There
can be policies set on the entities which adds capabilities to the tokens that
are tied to entity identifiers. The capabilities granted to tokens via the
entities are **an addition** to the existing capabilities of the token and
**not** a replacement. The capabilities of the token that get inherited from
entities are computed dynamically at request time. This provides flexibility in
controlling the access of tokens that are already issued.
~> **NOTE:** This secrets engine will be mounted by default. This secrets engine
cannot be disabled or moved. For more conceptual overview on identity, refer to
the [Identity](/vault/docs/concepts/identity) documentation.
The Vault Identity secrets engine supports several different features. Each
one is individually documented on its own page.
- [Identity tokens](/vault/docs/secrets/identity/identity-token)
- [OIDC Identity Provider](/vault/docs/secrets/identity/oidc-provider)
## API
The Identity secrets engine has a full HTTP API. Please see the
[Identity secrets engine API](/vault/api-docs/secret/identity) for more
details.
Additionally, Vault can be configured as an OIDC identity provider. Please see
the [OIDC identity provider API](/vault/api-docs/secret/identity/oidc-provider) for
more details.
Reference in a new issue View git blame Copy permalink