Part 2: Authentication & Authorization
At heart, Akeyless is all about authenticating identities and authorizing them to access secrets.
The platform serves two main types of identities: human and machine identities. When we say "machine", we are referring collectively to scripts, services, microservices, containers, VMs, and so on - anything that is not run manually using a human identity.
Each identity is represented by an Authentication Method object. Akeyless supports several types of authentication methods: AWS IAM, Azure AD, GCP, OCI IAM, API key, Kubernetes Auth, SAML, LDAP, OIDC, OAuth2.0/JWT, Certificate, and Universal Identity (UID)™.
Each Authentication Method object is associated with an Access Role that grants permission (including Create, Read, Update, Delete, List, and Deny) to this identity on Secrets, Targets, Roles, and Authentication Method objects stored inside the Akeyless SaaS solution.
Let's see how this process works for a machine identity.
-
A container requires credentials to connect to the SQL server. It uses its AWS IAM Role as an Authentication Method to authenticate with Akeyless.
-
Akeyless checks permission in the Access Role associated with the corresponding Authentication Method object to make sure that the container can access the secret.
-
Akeyless provides the secret to the container. The container uses the credentials to interact directly with the SQL database.
The process is the same for human identities.
Updated 9 months ago