GatePlane Documentation

2. Get Access Through the Gate

2 min read

▶️ Usage Example

Requesting Access

Vault/OpenBao Entities writing to the auth/gateplane/aws-prod-object-writer/request will create an access request:

$ VAULT_TOKEN="<requestor-token>" \
    vault write auth/gateplane/aws-prod-object-writer/request \
        reason="I want to get in"  # Reason is configured as mandatory for this gate
Key           Value
---           -----
exp           2025-07-01T10:46:52.418873353Z
iat           2025-07-01T09:46:52.418873353Z
overwrite     false     # Whether a request by this entity has been already created
reason        I want to get in
request_id    5ec53023-d998-6b3d-f58f-49976f3b1af7 # The Entity ID of the Requestor
status        pending   # status can be: pending / approved / active / expired

By design, each Requestor can have exactly one request against a Gate.

Approving Access

Then the Approver can approve using the RequestID:

$ VAULT_TOKEN="<approver-token>" \
    vault write auth/gateplane/aws-prod-object-writer/approve \
        request_id="5ec53023-d998-6b3d-f58f-49976f3b1af7"
Key           Value
---           -----
access_approved true
exp             2025-07-01T10:20:00.326612898Z
iat             2025-07-01T09:50:00.326612898Z
message         access approved
approval_id     5ec53023-d998-6b3d-f58f-49976f3b1af7:dbd64311-28e8-7e28-b1ac-1e5c9aa490e7:+

Hint

The Approver gets to know the RequestID either by an out-of-band communication, a LIST to the /request endpoint or the Notification Feature

Claiming Access

The Requestor is notified for the approval by polling the /request endpoint:

$ VAULT_TOKEN="<requestor-token>" \
    vault read auth/gateplane/aws-prod-object-writer/request
Key           Value
---           -----
exp           2025-07-01T10:46:52.418873353Z
grant_code    b4608697-73d5-447d-84e2-e244c78b3165  # Generated once the request is approved
iat           2025-07-01T09:46:52.418873353Z
reason        I want to get in
request_id    5ec53023-d998-6b3d-f58f-49976f3b1af7
status        approved # The state changes to approved

Using the grant_code against the /claim endpoint finally grants the Vault/OpenBao token:

$ VAULT_TOKEN="" \  # see the note
    vault write auth/gateplane/aws-prod-object-writer/claim \
     grant_code="b4608697-73d5-447d-84e2-e244c78b3165"
Key               Value
---               -----
token             s.raPGTZdARXdY0KvHcWSpp5wWZIHNT
token_renewable   false
# Some fields are omitted
policies          ["aws-prod-object-writer"]

Endpoints that issue Vault/OpenBao tokens (like the Policy Gate's /claim endpoint) reject authenticated requests: https://github.com/hashicorp/vault/issues/6074.