Create Identities
As the operator is very protective, it is advisable to create additional identities with fewer rights.
Usually it makes sense to divide identities by teams/projects/areas.
In this example, we will divide the identities into teams.
For the sake of simplicity, we will continue to work on a terraforming project here.
In “real life” the configuration would be divided into several projects.
We will be creating identities for two teams.
- A_Team manages applications and is therefore a development team.
- Search_Team this manages the big data database and determines which team can access which data.
We will create three secrets:
- two managed by A_Team
- one managed by Search_Team, but with read access from A_Team
A_Team will create a service:
- with read-only access to the secrets
For this purpose, the team manages different iduvidual accesses to the Big Data application.
Create team identity
A-Team Identity:
# Create a new identity keypairresource "cryptvault_cloud_keypair" "A_Team" {}
# Register Keypair to cryptvault.cloudresource "cryptvault_cloud_identity" "A_Team" { name = "A_Team" vault_id = cryptvault_cloud_vault.my_vault.id creator_key = cryptvault_cloud_vault.my_vault.operator_private_key public_key = cryptvault_cloud_keypair.A_Team.public_key rights = [ { # A_team can create new identities, but at most with the rights to the VALUES to which it is itself entitled right_value_pattern = "(rwd)IDENTITY.>" }, { # Team internal secrets right_value_pattern = "(rwd)VALUES.a_team.>" }, { # secrets from search_team for a_team right_value_pattern = "(rwd)VALUES.search_team.a_team.>" } ]}Search_Team Identity:
# Create a new identity keypairresource "cryptvault_cloud_keypair" "Search_Team" {}
# Register Keypair to cryptvault.cloudresource "cryptvault_cloud_identity" "Search_Team" { name = "Search_Team" vault_id = cryptvault_cloud_vault.my_vault.id creator_key = cryptvault_cloud_vault.my_vault.operator_private_key public_key = cryptvault_cloud_keypair.Search_Team.public_key rights = [ { # Search_Team can create new identities, but at most with the rights to the VALUES to which it is itself entitled right_value_pattern = "(rwd)IDENTITY.>" }, { # Team internal secrets right_value_pattern = "(rwd)VALUES.search_team.>" } ]}terraform applyUsually it makes sense to divide identities by teams/projects/areas.
In this example, we will divide the identities into teams.
For the sake of simplicity, we will continue to work with a single project folder.
In “real life” the configuration would be divided into several parts and could also be combined with terraform projects.
We will be creating identities for two teams.
- A_Team manages applications and is therefore a development team.
- Search_Team this manages the big data database and determines which team can access which data.
We will create three secrets:
- two managed by A_Team
- one managed by Search_Team, but with read access from A_Team
A_Team will create a service:
- with read-only access to the secrets
For this purpose, the team manages different iduvidual accesses to the Big Data application.
A-Team:
vault-cli protected --creds .cryptvault/$VAULT_CLI_VAULTNAME/operator/key add identity --name A_Team --r '(rwd)IDENTITY.>' --r '(rwd)VALUES.a_team.>' --r '(rwd)VALUES.search_team.a_team.>'Search_Team:
vault-cli protected --creds .cryptvault/$VAULT_CLI_VAULTNAME/operator/key add identity --name Search_Team --r '(rwd)IDENTITY.>' --r '(rwd)VALUES.search_team.>'