Added a table showing the entity alias name used by each auth method. (#10908)

* Also corrected the text about token auth method.
2025-10-30 02:02:43 +00:00 · 2021-02-11 18:34:45 -06:00
parent 94cb82965f
commit c44b60db66
1 changed files with 30 additions and 2 deletions
--- a/website/content/docs/secrets/identity.mdx
+++ b/website/content/docs/secrets/identity.mdx
@@ -81,6 +81,33 @@ these identity providers. Hence, the alias name in combination with the
 authentication backend mount's accessor, serve as the unique identifier of an
 alias.

+The table below shows what information each of the supported auth methods uses
+to form the alias name. This is the identifying information that is used to match or create
+an entity. If no entities are explicitly created or merged, then one [entity will be implicitly created](#implicit-entities)
+for each object on the right-hand side of the table, when it is used to authenticate on
+a particular auth mount point.
+
+| Auth method | Name reported by auth method                  |
+| ----------- | --------------------------------------------- |
+| AliCloud    | Principal ID                                  |
+| AppRole     | Role ID                                       |
+| AWS IAM     | Configurable via `iam_alias` to one of: Role ID (default), IAM unique ID, Full ARN |
+| AWS EC2     | Configurable via `ec2_alias` to one of: Role ID (default), EC2 instance ID, AMI ID | 
+| Azure       | Subject (from JWT claim)                      |
+| Cloud Foundry | App ID                                      |
+| GitHub      | User login name associated with token         |
+| Google Cloud | Configurable via `iam_alias` to one of: Role ID (default), Service account unique ID |
+| JWT/OIDC    | Configurable via `user_claim` to one of the presented claims (no default value) | 
+| Kerberos    | Username                                      |
+| Kubernetes  | Service account UID                           |
+| LDAP        | Username                                      |
+| OCI         | Constant “name” (_This is a bug in current version_) |
+| Okta        | Username                                      |
+| RADIUS      | Username                                      |
+| TLS Certificate | Subject CommonName                        |
+| Token       | `entity_alias`, if provided                   |
+| Username (userpass) | Username                              |
+
 ### Local Auth Methods

 If a login is performed using an auth method that was mounted locally on a
@@ -96,8 +123,9 @@ successful user login from any of the authentication backends, Vault will
 create a new entity and assign an alias against the login that was successful.

 Note that the tokens created using the token authentication backend will not
-have an associated identity information. Logging in using the authentication
-backends is the only way to create tokens that have a valid entity identifiers.
+normally have any associated identity information. An existing or new implicit
+entity can be assigned by using the `entity_alias` parameter, when creating a
+token using a token role with a configured list of `allowed_entity_aliases`.

 ### Identity Auditing