open-vault/website/source/api/secret/azure/index.html.md

238 lines
6.8 KiB
Markdown
Raw Normal View History

2018-08-16 19:10:56 +00:00
---
layout: "api"
page_title: "Azure - Secrets Engines - HTTP API"
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
sidebar_title: "Azure"
sidebar_current: "api-http-secret-azure"
2018-08-16 19:10:56 +00:00
description: |-
This is the API documentation for the Vault Azure secrets engine.
---
# Azure Secrets Engine (API)
This is the API documentation for the Vault Azure
secrets engine. For general information about the usage and operation of
the Azure secrets engine, please see the main [Azure secrets documentation][docs].
This documentation assumes the Azure secrets engine is enabled at the `/azure` path
in Vault. Since it is possible to mount secrets engines at any path, please
update your API calls accordingly.
## Configure Access
Configures the credentials required for the plugin to perform API calls
to Azure. These credentials will be used to query roles and create/delete
service principals. Environment variables will override any parameters set in the config.
| Method | Path | Produces |
| :------- | :------------------------| :------------------------ |
| `POST` | `/azure/config` | `204 (empty body)` |
- `subscription_id` (`string: <required>`) - The subscription id for the Azure Active Directory.
This value can also be provided with the AZURE_SUBSCRIPTION_ID environment variable.
- `tenant_id` (`string: <required>`) - The tenant id for the Azure Active Directory.
This value can also be provided with the AZURE_TENANT_ID environment variable.
- `client_id` (`string:""`) - The OAuth2 client id to connect to Azure. This value can also be provided
with the AZURE_CLIENT_ID environment variable. See [authentication](#Authentication) for more details.
- `client_secret` (`string:""`) - The OAuth2 client secret to connect to Azure. This value can also be
provided with the AZURE_CLIENT_ID environment variable. See [authentication](#Authentication) for more details.
- `environment` (`string:""`) - The Azure environment. This value can also be provided with the AZURE_ENVIRONMENT
environment variable. If not specified, Vault will use Azure Public Cloud.
### Sample Payload
```json
{
"subscription_id": "94ca80...",
"tenant_id": "d0ac7e...",
"client_id": "e607c4...",
"client_secret": "9a6346...",
"environment": "AzureGermanCloud"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://127.0.0.1:8200/v1/azure/config
```
## Read Config
Return the stored configuration, omitting `client_secret`.
| Method | Path | Produces |
| :------- | :------------------------| :------------------------ |
| `GET` | `/azure/config` | `200 application/json` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request GET \
https://127.0.0.1:8200/v1/azure/config
```
### Sample Response
```json
{
"data": {
"subscription_id": "94ca80...",
"tenant_id": "d0ac7e...",
"client_id": "e607c4...",
"environment": "AzureGermanCloud"
},
...
}
```
## Delete Config
Deletes the stored Azure configuration and credentials.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/auth/azure/config` | `204 (empty body)` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://127.0.0.1:8200/v1/auth/azure/config
```
## Create/Update Role
Create or update a Vault role. Either `application_object_id` or
`azure_roles` must be provided, and these resources must exist for this
call to succeed. See the Azure secrets [roles docs][roles] for more
information about roles.
2018-08-16 19:10:56 +00:00
| Method | Path | Produces |
| :------- | :------------------------| :------------------------ |
| `POST` | `/azure/roles/:name` | `204 (empty body)` |
### Parameters
- `azure_roles` (`string: ""`) - List of Azure roles to be assigned to the generated service
2018-08-28 02:42:02 +00:00
principal. The array must be in JSON format, properly escaped as a string. See [roles docs][roles]
for details on role definition.
- `application_object_id` (`string: ""`) - Application Object ID for an existing service principal that will
be used instead of creating dynamic service principals. If present, `azure_roles` will be ignored. See
[roles docs][roles] for details on role definition.
2018-08-16 19:10:56 +00:00
- `ttl` (`string: ""`) Specifies the default TTL for service principals generated using this role.
Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
- `max_ttl` (`string: ""`) Specifies the maximum TTL for service principals generated using this role. Accepts time
suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
### Sample Payload
```json
{
2018-08-28 02:42:02 +00:00
"azure_roles": "[
2018-08-16 19:10:56 +00:00
{
2018-08-28 02:42:02 +00:00
\"role_name\": \"Contributor\",
\"scope\": \"/subscriptions/<uuid>/resourceGroup/Website\"
2018-08-16 19:10:56 +00:00
},
{
2018-08-28 02:42:02 +00:00
\"role_id\": \"/subscriptions/<uuid>/providers/Microsoft.Authorization/roleDefinitions/<uuid>\",
\"scope\": \"/subscriptions/<uuid>\"
2018-08-16 19:10:56 +00:00
}
2018-08-28 02:42:02 +00:00
]",
2018-08-16 19:10:56 +00:00
"ttl": 3600,
"max_ttl": "24h"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://127.0.0.1:8200/v1/azure/roles/my-role
```
## List Roles
Lists all of the roles that are registered with the plugin.
| Method | Path | Produces |
| :------- | :------------------------| :------------------------ |
| `LIST` | `/azure/roles` | `200 application/json` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
https://127.0.0.1:8200/v1/azure/roles
```
### Sample Response
```json
{
"data": {
"keys": [
"my-role-one",
"my-role-two"
]
}
}
```
## Generate Credentials
This endpoint generates a new service principal based on the named role.
| Method | Path | Produces |
| :------- | :------------------------| :------------------------ |
| `GET` | `/azure/creds/:name` | `200 application/json` |
### Parameters
- `name` (`string: <required>`) - Specifies the name of the role to create credentials against.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/azure/creds/my-role
```
### Sample Response
```json
{
"data": {
"client_id": "408bf248-dd4e-4be5-919a-7f6207a307ab",
"client_secret": "ad06228a-2db9-4e0a-8a5d-e047c7f32594",
...
}
}
```
## Revoking/Renewing Secrets
See docs on how to [renew](/api/system/leases.html#renew-lease) and [revoke](/api/system/leases.html#revoke-lease) leases.
[docs]: /docs/secrets/azure/index.html
[roles]: /docs/secrets/azure/index.html#roles