Introducing Centrify Identity Services for HashiCorp Vault

April 17, 2018

Today, Centrify is proud to announce the integration of the Centrify Identity Service with HashiCorp Vault for role-based user authentication and access to the Vault.

The Centrify Next-Gen Access Management platform now provides an additional Auth Method called “centrify” for HashiCorp Vault. This Auth Method allows you to authenticate users to HashiCorp Vault, leverage any connected directory source for authentication, and enable role-based authorizations to Vault resources using Centrify Roles.

Figure 1: HashiCorp Vault integration with Centrify Identity Services


There are several benefits to using Centrify for user authentication to HashiCorp Vault:

  • Centrify brokers authentication to any connected directory source, including Active Directory, LDAP, Google Directory, or the Centrify Cloud Directory for user or service accounts.
  • User access to the Vault is time-bound and is based on authentication to the Centrify Identity Service. This allows you to avoid long-lived credentials left behind on user’s machines and protects against potential malware attacks.
  • Centrify’s integration enables workflow-based access control, allowing users to request and receive access to the Vault only when needed. This enables you to grant access to the Vault without assigning permanent access rights within the Centrify Identity Service.
  • Centrify integration centralizes access management for new users and temporary workers. You can simplify account creation during the on-boarding process and automatically disable user access upon termination.
  • Centrify captures an audit log of all user login events to the HashiCorp Vault and sends these logs to your security information and event management (SIEM) solution for analysis.
  • With Centrify, you can authenticate your on-premises users to the Vault deployed on-premises, in a DMZ, within one or more VPCs on Amazon AWS, or in other IaaS hosting services.


Centrify can also simplify the integration with Active Directory for those deployments where Vault runs on Linux and has direct Active Directory access.

In this model, Centrify extends Vault’s current LDAP Auth Method to support proper operations within complex multi-domain or one-way trust Active Directory (AD) environments through the Centrify LDAP Proxy.

Additionally, Centrify Agent for Linux provides centralized public key infrastructure (PKI) certificate management for Linux within environments which use Microsoft Certificate Authority for automated certificate issuance and renewal.

Figure 2: HashiCorp Vault integration with Centrify Agent for Active Directory

Regardless of how you would like to centralize user authentication to Vault, Centrify provides a solution to integrate Vault into Active Directory, LDAP, Google Directory or Centrify Cloud Directory as well as provide role-based authorization to Vault resources.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.