diff --git a/app/lib/clients/vault.rb b/app/lib/clients/vault.rb
index 6c73276..40d654a 100644
--- a/app/lib/clients/vault.rb
+++ b/app/lib/clients/vault.rb
@@ -26,4 +26,6 @@ def enable_engine(mount, type)
 
   require_relative "vault/key_value"
   require_relative "vault/certificate"
+  require_relative "vault/entity"
+  require_relative "vault/entity_alias"
 end
diff --git a/app/lib/clients/vault/entity.rb b/app/lib/clients/vault/entity.rb
new file mode 100644
index 0000000..2f894d3
--- /dev/null
+++ b/app/lib/clients/vault/entity.rb
@@ -0,0 +1,19 @@
+module Clients
+  class Vault
+    class << self
+      def put_entity(name, policies)
+        client.logical.write("identity/entity",
+                             name: name,
+                             policies: policies)
+      end
+
+      def read_entity(name)
+        client.logical.read("identity/entity/name/#{name}")
+      end
+
+      def delete_entity(name)
+        client.logical.delete("identity/entity/name/#{name}")
+      end
+    end
+  end
+end
diff --git a/app/lib/clients/vault/entity_alias.rb b/app/lib/clients/vault/entity_alias.rb
new file mode 100644
index 0000000..010a3a4
--- /dev/null
+++ b/app/lib/clients/vault/entity_alias.rb
@@ -0,0 +1,42 @@
+module Clients
+  class Vault
+    class << self
+      def put_entity_alias(entity_name, alias_name, auth_method)
+        e = read_entity(entity_name)
+        if e.nil?
+          raise "no such entity #{entity_name}"
+        end
+        canonical_id = e.data[:id]
+        auth_sym = "#{auth_method}/".to_sym
+        accessor = client.logical.read("/sys/auth").data[auth_sym][:accessor]
+        client.logical.write("identity/entity-alias",
+                             name: alias_name,
+                             canonical_id: canonical_id,
+                             mount_accessor: accessor)
+      end
+
+      def read_entity_alias_id(entity_name, alias_name)
+        e = read_entity(entity_name)
+        if e.nil?
+          raise "no such entity #{entity_name}"
+        end
+        aliases = e.data[:aliases]
+        a = aliases.find { |a| a[:name] == alias_name }
+        if a.nil?
+          raise "no such alias #{alias_name}"
+        end
+        a[:id]
+      end
+
+      def read_entity_alias(entity_name, alias_name)
+        id = read_entity_alias_id(entity_name, alias_name)
+        client.logical.read("identity/entity-alias/id/#{id}")
+      end
+
+      def delete_entity_alias(entity_name, alias_name)
+        id = read_entity_alias_id(entity_name, alias_name)
+        client.logical.delete("identity/entity-alias/id/#{id}")
+      end
+    end
+  end
+end
diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb
index 23f194a..4017556 100644
--- a/test/lib/clients/vault_test.rb
+++ b/test/lib/clients/vault_test.rb
@@ -3,12 +3,17 @@
 class VaultTest < ActiveSupport::TestCase
   attr_reader :intermediate_ca_mount
   attr_reader :root_ca_mount
-
+  attr_reader :policies
+  attr_reader :entity_name
+  attr_reader :alias_name
   setup do
     @client = Clients::Vault
     @root_ca_mount = SecureRandom.hex(4)
     @intermediate_ca_mount = SecureRandom.hex(4)
-  end
+    @policies = SecureRandom.hex(4)
+    @entity_name = SecureRandom.hex(4)
+    @alias_name = SecureRandom.hex(4)
+ end
 
   teardown do
     vault_client.sys.unmount(root_ca_mount)
@@ -48,6 +53,47 @@ class VaultTest < ActiveSupport::TestCase
     end
   end
 
+  test "#entity" do
+    entity =  @client.read_entity(@entity_name)
+    assert_nil entity
+
+    @client.put_entity(@entity_name, @policies)
+    entity =  @client.read_entity(@entity_name)
+    assert_equal @policies, entity.data[:policies][0]
+
+    @client.delete_entity(@entity_name)
+    entity =  @client.read_entity(@entity_name)
+    assert_nil entity
+  end
+
+  test "#entity_alias" do
+    # confirm no entity yet
+    err = assert_raises RuntimeError do
+      @client.read_entity_alias(@entity_name, @alias_name)
+    end
+    assert_match /no such entity/, err.message
+
+    # confirm no alias yet
+    @client.put_entity(@entity_name, @policies)
+    err = assert_raises RuntimeError do
+      @client.read_entity_alias(@entity_name, @alias_name)
+    end
+    assert_match /no such alias/, err.message
+
+    # create alias
+    auth_method = "token"
+    @client.put_entity_alias(@entity_name, @alias_name, auth_method)
+    entity_alias =  @client.read_entity_alias(@entity_name, @alias_name)
+    assert_equal auth_method, entity_alias.data[:mount_type]
+
+    # confirm deleted alias
+    assert_equal true, @client.delete_entity_alias(@entity_name, @alias_name)
+    err = assert_raises RuntimeError do
+      @client.delete_entity_alias(@entity_name, @alias_name)
+    end
+    assert_match /no such alias/, err.message
+  end
+
   private
 
   def vault_client