Vault/OpenBao Policy Gate
This auth plugin is configured with a list of Vault/OpenBao policies. Claiming an Access Request in this plugin will issue a Vault/OpenBao token bearing the configured policies.
What accesses are supported by this plugin
This plugin natively supports all Vault/OpenBao Secret Engines (see for Vault / OpenBao).
Namely, cloud service providers, such as AWS, Google Cloud, Azure, orchestrators like Kubernetes or Nomad, [databases], such as MySQL/MariaDB or Elasticsearch, and access like SSH are all supported natively.
Just-in-Time access
The token’s lease expires as configured by the standard Vault/OpenBao /tune endpoint, ensuring Just-In-Time access to the elevated token.
Leases only affect the tokens!
If the elevated token is used to generate credentials (e.g: AWS or Kubernetes), the generated credentials lease TTLs are configured separately in their respective Secret Engine mounts (e.g: Kubernetes engine TTL).
This means that access to these resources is not automatically revoked when the elevated token itself expires.
Tied to the user
The elevated token generated by the /claim endpoint will be bound to the Vault/OpenBao Entity
that made the Access Request. This allows traceability of the privileged actions.