Approle entities

1,110 views
Skip to first unread message

nocturo

unread,
Mar 21, 2019, 1:49:15 PM3/21/19
to Vault
Hello all,

I've been trying to implement Vault in my environment and due to limited templating in places other than paths in policies I've been trying to associate a token created trough AppRole to an identity but I haven't found a way to do it. I've noticed all identity docs mostly mention userpass and that just the token auth doesn't support assigning an entity. I'm failing to see why would token be a second class citizen since all auth backends are there to provide you a token you're going to use later on. I genuinely wonder where the limitation is coming from since I haven't found discussions about this.

Secondly I wanted to approach this limitation by creating a token trough AppRole and using it's accessor as entity alias (since afaik that's the "glue" between tokens and entities) but upon checking token capabilities the policies assigned to the entity didn't show up so I assume this straight up isn't working. I'm also wondering the design decision around this if it's a feature.

All this is because I want to use metadata I send over (since it has identifiable data) inside a policy path. I understand that's not possible, but if I could somehow create an entity, and associate it with a token I generate, I could then be able to use {{ identity.entity.name }} to vastly simplify my policy needs.

Thanks!
Nick

mic...@hashicorp.com

unread,
Mar 26, 2019, 6:55:02 PM3/26/19
to Vault
Hi Nick,

this should work. You have to use the role_id as name parameter for the entity-alias. 
See small example:

$ vault write -f auth/approle/role/my-role/secret-id
Key                   Value
---                   -----
secret_id             f5625379-7f0c-8140-32e7-f9e158d5d6b5
secret_id_accessor    59d345aa-19d1-b08b-fb4a-9001bf48e3ec

$ vault read auth/approle/role/my-role/role-id
Key        Value
---        -----
role_id    1caf3898-1101-938f-7d1f-a04882861246

$ vault write identity/entity name="approle-test" policies="admin"
Key        Value
---        -----
aliases    <nil>
id         e8f0cc2a-6c34-e669-0a40-7c7d53bc37b5

$ vault write identity/entity-alias name="1caf3898-1101-938f-7d1f-a04882861246" \
        canonical_id="e8f0cc2a-6c34-e669-0a40-7c7d53bc37b5" \
        mount_accessor="auth_approle_53f91f4c"
Key             Value
---             -----
canonical_id    e8f0cc2a-6c34-e669-0a40-7c7d53bc37b5
id              4c87a946-c810-a9c2-eab8-bd110a33e1a0

$ vault write auth/approle/login role_id="1caf3898-1101-938f-7d1f-a04882861246" secret_id="f5625379-7f0c-8140-32e7-f9e158d5d6b5"
Key                     Value
---                     -----
token                   s.KKLrk6PnyPk4AgurkWxBI2HD
token_accessor          msBom4Eq5JjRj0y3WvkiboJK
token_duration          768h
token_renewable         true
token_policies          ["default"]
identity_policies       ["admin"]
policies                ["admin" "default"]
token_meta_role_name    my-role

Cheers,
Michel

nocturo

unread,
Mar 27, 2019, 10:55:53 AM3/27/19
to Vault
Hi Michel,

Thanks for that but there seemed to have been an entity created automatically when I used AppRole. When trying out your example I got a 400 "* combination of mount and alias name is already in use".

However the goal would be to associate tokens created by approle to an entity. My use case is that I wanted to use approle to generate tokens which belong to an entity, which doesn't seem possible right now.

Thanks,
Nick

mic...@hashicorp.com

unread,
Mar 27, 2019, 12:48:26 PM3/27/19
to Vault
Hi Nick,

Thanks for that but there seemed to have been an entity created automatically when I used AppRole. When trying out your example I got a 400 "* combination of mount and alias name is already in use".

Yes, this happens when you have already logged in with generated credentials from this approle. As soon as you authenticate with your generated credentials, the identity system will automatically create an entity and entity alias when it doesn't exist already.
You can simply remove the existing alias via "vault delete identity/entity-alias/id/<entity-alias-id>". You might have to find out the id of the existing entity alias via "vault list identity/entity-alias/id" and "vault read identity/entity-alias/id/<entity-alias-id>" first.

However the goal would be to associate tokens created by approle to an entity. My use case is that I wanted to use approle to generate tokens which belong to an entity, which doesn't seem possible right now.

I'm not quite sure if I got your question right. When I link an approle role to an entity like described above, all generated tokens are associated to the entity:
$ vault write auth/approle/login role_id="1433f542-2c33-99ab-0be7-d0178fb6f775" secret_id="31f3ef04-89da-4bfa-ff84-f65222184396"
Key                     Value
---                     -----
token                   s.gFZoClEN9cId7PPNXQIyUQyd
token_accessor          IxpneRWHMqAsuiVC0hLWXwep

token_duration          768h
token_renewable         true
token_policies          ["default"]
identity_policies       ["admin"]
policies                ["admin" "default"]
token_meta_role_name    my-
role

$ vault token lookup s.gFZoClEN9cId7PPNXQIyUQyd
Key                            Value
---                            -----
...
entity_id                      637ae541-bb7f-89ff-0389-4c81118bed9f
identity_policies              [admin]
...

That is what you try to achieve, right?

Cheers,
Michel

Reply all
Reply to author
Forward
0 new messages