What does Vault use to determine whether a client is who they claim to be?

Vault uses authentication methods to determine whether a client is who they claim to be because this component is specifically designed to verify the identity of users or applications that are trying to access resources. Various authentication methods can be configured in Vault, such as username and password, GitHub OAuth, LDAP, and many others. Each method has its own mechanism for validating credentials, ensuring that only legitimate clients are granted access.

Authentication is the first step in securing interactions with Vault. Once a client successfully authenticates, it receives a token that can be used for subsequent requests. This process effectively ties identity verification directly to the various methods chosen, allowing Vault to maintain a secure and controlled environment.

In contrast, secrets management refers to how Vault handles sensitive data and is not directly involved in client authentication. Security tokens are issued post-authentication and serve to identify authenticated sessions, but they do not participate in the validation process on their own. Access controls govern what actions authenticated clients can perform, once their identity is established, but they do not play a role in determining client identity initially. This differentiation underscores the critical role that authentication methods play in the overall security framework of Vault.