HashiCorp Vault
Description
The HashiCorp Vault connector uses the Vault HTTP API to discover identity entities, identity groups, and ACL policies. It supports three authentication methods — static token, AppRole, and userpass — and is compatible with both Vault OSS and Vault Enterprise (with namespace support).
System Type Classification
| Field | Value |
|---|---|
| System Type | PAM Tool |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| Vault HTTP API (HTTPS) | 8200 TCP | Default; configurable via pamPlatformUrl |
What OrbisID Discovers
| Data | Source |
|---|---|
| Identity entities | LIST /v1/identity/entity/id + GET /v1/identity/entity/id/{id} |
| Identity entity metadata | Stored as account attributes |
| Identity groups | LIST /v1/identity/group/id + GET /v1/identity/group/id/{id} |
| Group memberships | member_entity_ids field on each group |
| ACL policies | LIST /v1/sys/policies/acl — recorded as VAULT_POLICY entitlements |
Discovery of entities, groups, and memberships requires the Identity Secrets Engine to be enabled (it is enabled by default in Vault 0.9+). ACL policy discovery requires sys/policies/acl list access.
Connection Requirements
Authentication Methods
Select the auth method via the vaultAuthMethod system attribute:
TOKEN (default)
A static Vault token with the required permissions. Best for testing; use AppRole or Userpass for production.
APPROLE
Vault's recommended server-to-server auth method. Create an AppRole with appropriate policies:
vault auth enable approle
vault write auth/approle/role/orbisid-scanner \
secret_id_ttl=0 \
token_ttl=60m \
token_policies="orbisid-read-policy"
vault read auth/approle/role/orbisid-scanner/role-id
vault write -f auth/approle/role/orbisid-scanner/secret-id
USERPASS
Username and password via Vault's userpass auth method.
Minimum Vault Policy
Create a policy granting the required read-only access:
# orbisid-read-policy.hcl
path "identity/entity/id/*" {
capabilities = ["read", "list"]
}
path "identity/group/id/*" {
capabilities = ["read", "list"]
}
path "sys/policies/acl/*" {
capabilities = ["list"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}
vault policy write orbisid-read-policy orbisid-read-policy.hcl
Credential Mapping
| Auth Method | credential.username | credential.password |
|---|---|---|
TOKEN | (unused) | Vault token |
APPROLE | Role ID | Secret ID |
USERPASS | Vault username | Vault password |
System Attributes
| Attribute | Required | Default | Description |
|---|---|---|---|
vaultAuthMethod | No | TOKEN | Auth method: TOKEN, APPROLE, or USERPASS |
vaultNamespace | No | — | Vault Enterprise namespace (e.g., admin/team-a) |
Configuration Steps
- Create the Vault policy and assign it to the scanning identity
- Create a Credential in OrbisID matching your chosen auth method
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., HashiCorp Vault – Production) |
| PAM Platform URL | Vault base URL (e.g., https://vault.example.com:8200) |
| OS Type | HashiCorp Vault |
| System Type | PAM Tool |
| Credential | The scanning credential (matched to your auth method) |
- Add system attributes as needed (
vaultAuthMethod,vaultNamespace) - Click Test Connection
- Click Save
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
403 permission denied for entities | Policy missing identity read | Add identity/entity/id/* read/list to the Vault policy |
Vault login failed – bad credentials (AppRole) | Wrong Role ID or Secret ID | Re-generate the Secret ID; verify the Role ID |
| No entities returned | Identity secrets engine not enabled | Enable: vault secrets enable identity |
| No policies listed | Policy missing sys/policies/acl list | Add to the Vault policy |
| Namespace error | Wrong namespace path | Verify the namespace in Vault Enterprise; namespaces are case-sensitive |