Introduction
Expected Outcome
A configured Approle entity with inherited group policies.
Use Case
Applying the concepts in the Secure Multi-Tenancy with Namespaces tutorial, implementing Approle authentication in lieu of userpass.
Procedure
Assuming you have created the same namespaces and policies in the above referenced tutorial, do the following picking up from the Setup entities and groups step.
Enable approle auth method:
vault auth enable -namespace=education approle
Create role:
vault write -f -namespace=education auth/approle/role/my-role
Get role ID:
vault read -namespace=education auth/approle/role/my-role/role-id -format=json | jq -r ".data.role_id" > role_id.txt
Create entity:
vault write -namespace=education -format=json identity/entity name="Approle Entity" policies="edu-admin" | jq -r ".data.id" > entity_id.txt
Get accessor ID:
vault auth list -namespace=education -format=json | jq -r '.["approle/"].accessor' > accessor.txt
Create alias:
vault write -namespace=education identity/entity-alias name=$(cat role_id.txt) canonical_id=$(cat entity_id.txt) mount_accessor=$(cat accessor.txt)
Create group:
vault write -namespace=education/training identity/group name="Training Admin" policies="training-admin" member_entity_ids=$(cat entity_id.txt)
Logging in to the Vault UI in the education/training namespace and navigating to Access > Groups > Training Admin > Members will list the entity-alias as a member of the group.
From the CLI:
vault read -namespace=education/training identity/group/id/<group-id>
In the output you will see a key/value like this where 2618fc1e... is the canonical_id of the entity alias you created.
member_entity_ids [2618fc1e-883d-0169-b662-30890867773c]