Enable multi-tenancy in HCP Vault with namespaces
When Vault is primarily used as a central location to manage secrets, multiple organizations within a company may need to be able to manage their secrets in a self-serving manner. This means that a company needs to implement a Vault as a Service model allowing each organization (tenant) to manage their own secrets and policies. Most importantly, tenants should be restricted to work only within their tenant scope.
To achieve this, HashiCorp Cloud Platform (HCP) Vault Dedicated utilizes
the concept of a namespace. A namespace allows you to create
separate groups of secrets, and apply policies to those namespaces
to ensure each tenant can only access the secrets they have
permission to. When you create a new HCP Vault Dedicated cluster, a Vault
Enterprise cluster with a default namespace of admin
is provisioned.
In this tutorial, you will explore the creation of namespaces and learn how to navigate between them.
Note
This step assumes that you created and connected to the HCP Vault Dedicated cluster in the Create a Vault Cluster on HashiCorp Cloud Platform (HCP) step.
Characteristics of Vault namespaces
A Vault namespace enables teams, organizations, or applications a dedicated, isolated environment. Each namespace has its own:
- Policies
- Auth methods
- Secrets engines
- Tokens
- Identity entities and groups
Tokens are locked to a namespace or child-namespaces. Identity groups can pull in entities and groups from other namespaces.
Create namespaces
You may define nested namespaces within a parent namespace. These child-namespaces enable further isolated environments under the parent namespace.
In the Vault UI, select Access from the menu.
Select Namespaces and then click the Create namespace action.
Enter
education
in the Path field.Click Save.
The
education
namespace is created as a child-namespace of theadmin
namespace. This relationship is represented as the pathadmin/education/
.Click the admin namespace from the menu.
The namespace selector displays the child-namespaces of the current namespace.
Select the education namespace.
The current namespace changes to the
admin/education/
.Navigate to Access > Namespaces and click the Create namespace action.
Enter
training
in the Path field.Click Save.
The
training
namespace is created as a child-namespace of theadmin/education/
namespace. This relationship is represented as the pathadmin/education/training/
.Use the namespace selector to navigate to the training namespace and then to the admin namespace.
You created and navigated through Vault Enterprise namespaces. To gain a greater understanding of namespaces complete the Secure Multi-Tenancy with Namespaces tutorial.