A DevOps engineer has set up LDAP and GitHub auth methods. The engineer must ensure user Sarah, who authenticates via either method, has consistent access permissions. Which approach correctly describes how to achieve this in Vault?
A.
Create an entity for Sarah and map both her LDAP and GitHub identities as entity aliases to this single entity
B.
Create an external group and add the LDAP and GitHub providers as members of the group
C.
Create separate policies for each auth method and manually ensure they remain synchronized
D.
Configure a trust relationship between the LDAP and GitHub providers to ensure Sarah’s account is synced
To ensure consistent access permissions for Sarah across multiple authentication methods (LDAP and GitHub), the correct approach in Vault is tocreate an entity for Sarah and map both her LDAP and GitHub identities as entity aliases to this single entity.
Entities and Aliases in Vault: Vault’s Identity secrets engine allows the creation of entities, which are logical representations of users or machines. Each entity can have multiple aliases, where an alias corresponds to an identity from a specific auth method. By mapping Sarah’s LDAP identity (e.g., her LDAP username) and GitHub identity (e.g., her GitHub username) as aliases to a single entity, Vault associates both identities with one set of policies. The documentation states: "Vault clients can be mapped as entities and their corresponding accounts with authentication providers can be mapped as aliases."
Why This Works: Assigning policies to the entity ensures that Sarah’s permissions remainconsistent regardless of whether she logs in via LDAP or GitHub. This centralizes policy management and eliminates discrepancies.
Incorrect Options:
B. External Group Approach: Creating an external group and adding LDAP and GitHub providers as members does not inherently synchronize permissions for a single user like Sarah. External groups are better suited for mapping group memberships from external systems to Vault policies, not individual identity unification.
C. Separate Policies: Managing separate policies per auth method is error-prone and inefficient. Manual synchronization risks inconsistencies, undermining security and manageability.
D. Trust Relationship: Vault does not support configuring trust relationships between auth methods like LDAP and GitHub to sync accounts. This is a misunderstanding of Vault’s architecture.
This entity-based approach leverages Vault’s identity system to unify Sarah’s access, simplifying administration and ensuring consistency.
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit