Identity and Access Management
On this page you will learn about the various identity and access management APIs and configurations are available to help manage and secure your VGS Vault.
Control Plane APIs
The VGS Platform includes both a Control Plane and a Data Plane. The control plane decides how data is managed, routed, and processed, while the data plane is responsible for the actual moving of data. The control plane also allows administration of users, organizations, reporting, usage, and observability.
Account Management API
The VGS User Accounts API provides a secure and self-serve solution for customers to retrieve user account details and access permissions at both the organization level and at individual vault level. This API allows clients to fetch real-time account permission details on demand.
Data Plane APIs
Data Plane Credential Management
Each Vault has a separate set of credentials used solely to provide access to the data within the vault.
Credentials for each vault can be managed via the VGS Dashboard's Access Credential Management Screen or VGS CLI. Multiple sets of credentials can be generated to allow for rotating credentials without downtime.
Other IAM Components
Service Accounts
For automation use-cases you can programmatically create service account credentials. These are ideal for scripting workflows such as creating a git driven change management flow.
Permissions
User and Service account permissions are controlled via the VGS Dashboard's User Access Control screen.
Complex runtime permissioning may be implemented using Larky, the VGS secure runtime.
Custom Identity Providers
Custom IdP and Single Sign-on (SSO) can be enabled by reading the IdP and SSO configuration guide.
Authentication Technologies
VGS uses multiple forms of authentication for our APIs and proxies. All authentication is underpinned by common best practices including TLS 1.2 encryption, IP address restrictions, audit and access logs, and monitored by our in-house security operations team.
Basic Authentication
Basic authentication as implemented in RFC 7617 is used for accessing data via proxies and Vault APIs and transmits credentials as user ID/password pairs, encoded using base64. These APIs are served over TLS 1.2 and are additionally complemented with IP address based restrictions for our HTTP Routes to ensure credentials cannot leak from authorized systems to enable a zero trust like posture. We follow Mozilla’s recommended best practices for implementation.
Bearer Authentication
Bearer authentication as implemented in RFC 6750 is used for accessing configuration APIs in conjunction with OAuth 2.0. This separate credential is used for service accounts and user administration of VGS to ensure separation of concerns.
Public / Private Key Authentication
SFTP and ISO8583 Routes additionally utilize optional key based authentication as described in RFC 4252 and RFC 2246 respectively. Certificate based authentication utilizes standard PEM based certificates.
mTLS Authentication
mTLS authentication can be used on the Data Plane Proxies for both inbound and outbound traffic. More information is available at Mutual TLS Certificates documentation.
VPN Connections
Private connections can be configured via a VPN, AWS PrivateLink, or similar technology (including hosted, managed VPN appliances) on demand. More information is available in our Connectivity documentation.
Data Plane Encryption, Authentication, and Authorization
Custom authentication mechanisms, payload level encryption, secure message authentication and other cryptographic operations can be codified directly into the VGS data plane's proxies using a variety of pre-built Larky language extensions and utilize our secure compute environment to ensure that keys are securely managed on your behalf. Contact your VGS solutions engineer to learn more about these patterns and to get assistance.
Next steps
Last updated