Vault offers a variety of means for users and systems to authenticate and receive a token. Aomi supports a handful of these.
The succesor to the AppID authentication type is AppRole. This is a mechanism which is meant for system usage. The aomi tool only supports provisioning of roles, it does not currently support manual creation of associated secret ids. If you wish to have that style of authentication it is best to stick with App ID for now.
You can currently associate policies, associated IP addresses, the number of uses for a created secret id, and how long the resulting tokens will last.
approles: - name: 'foo' policies: - 'default' - 'not_default' secret_uses: 1 secret_ttl: 1
Token Role allows you to create a surrogate token from a defined set of policies. A Token Role can define explcitly allowed or disallowed policies which the surrogate token can be generated from. Primarily use cases for Token Role would be Hashicorp’s Nomad.
tokenroles: - name: 'nomad-cluster' disallowed_policies: - nomad-server explicit_max_ttl: 0 orphan: false period: 259200 renewable: true
Vault supports basic user/password combinations. You can provision this with aomi as well. The
Secretfile contains the user and policy associations. The password is stored as a plain text file in the secrets directory.
users: - username: 'foo' password_file: 'foo-user.txt' policies: - 'default'
The aomi tool supports the Vault MFA intgration for user/password combinations.
duo: - backend: "userpass" creds: "duo.yml" host: "api-foo.duosecurity.com"
key: "foo" secret: "bar"
The aomi tool supports LDAP authentication, along with mapping users to policies/groups, and groups to policies. It should work with all the ways that Vault supports LDAP.
The basic configuration will setup an auth endpoint. You can specify all the config variables listed in the Vault documentation itself. Note that the
certificate options must be specified in a “secret” file indicated by the
ldap_auth: - url: "ldap://example.com" binddn: "cn=vault,dc=example,dc=com" userattr: "uid" userdn: "dc=example,dc=com" groupdn: "dc=example,dc=com" secrets: "ldap.yml"
Vault provides the ability to map users to policies and LDAP groups. Note that depending on your particular Vault/LDAP configuration, you may not be able to set overrides for users.
ldap_users: - user: "test" groups: - "some-group" - "another-group" policies: - "another-policy"
Vault provides the ability to map LDAP groups to policies.
ldap_groups: - name: "some-group" policies: - "some-policy"