2018-08-16 19:10:56 +00:00
|
|
|
|
---
|
|
|
|
|
layout: "api"
|
|
|
|
|
page_title: "Azure - Secrets Engines - HTTP API"
|
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
|
|
|
|
sidebar_title: "Azure"
|
|
|
|
|
sidebar_current: "api-http-secret-azure"
|
2018-08-16 19:10:56 +00:00
|
|
|
|
description: |-
|
|
|
|
|
This is the API documentation for the Vault Azure secrets engine.
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# Azure Secrets Engine (API)
|
|
|
|
|
|
|
|
|
|
This is the API documentation for the Vault Azure
|
|
|
|
|
secrets engine. For general information about the usage and operation of
|
|
|
|
|
the Azure secrets engine, please see the main [Azure secrets documentation][docs].
|
|
|
|
|
|
|
|
|
|
This documentation assumes the Azure secrets engine is enabled at the `/azure` path
|
|
|
|
|
in Vault. Since it is possible to mount secrets engines at any path, please
|
|
|
|
|
update your API calls accordingly.
|
|
|
|
|
|
|
|
|
|
## Configure Access
|
|
|
|
|
|
|
|
|
|
Configures the credentials required for the plugin to perform API calls
|
|
|
|
|
to Azure. These credentials will be used to query roles and create/delete
|
|
|
|
|
service principals. Environment variables will override any parameters set in the config.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :------------------------| :------------------------ |
|
|
|
|
|
| `POST` | `/azure/config` | `204 (empty body)` |
|
|
|
|
|
|
|
|
|
|
- `subscription_id` (`string: <required>`) - The subscription id for the Azure Active Directory.
|
|
|
|
|
This value can also be provided with the AZURE_SUBSCRIPTION_ID environment variable.
|
|
|
|
|
- `tenant_id` (`string: <required>`) - The tenant id for the Azure Active Directory.
|
|
|
|
|
This value can also be provided with the AZURE_TENANT_ID environment variable.
|
|
|
|
|
- `client_id` (`string:""`) - The OAuth2 client id to connect to Azure. This value can also be provided
|
|
|
|
|
with the AZURE_CLIENT_ID environment variable. See [authentication](#Authentication) for more details.
|
|
|
|
|
- `client_secret` (`string:""`) - The OAuth2 client secret to connect to Azure. This value can also be
|
|
|
|
|
provided with the AZURE_CLIENT_ID environment variable. See [authentication](#Authentication) for more details.
|
|
|
|
|
- `environment` (`string:""`) - The Azure environment. This value can also be provided with the AZURE_ENVIRONMENT
|
|
|
|
|
environment variable. If not specified, Vault will use Azure Public Cloud.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"subscription_id": "94ca80...",
|
|
|
|
|
"tenant_id": "d0ac7e...",
|
|
|
|
|
"client_id": "e607c4...",
|
|
|
|
|
"client_secret": "9a6346...",
|
|
|
|
|
"environment": "AzureGermanCloud"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://127.0.0.1:8200/v1/azure/config
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Config
|
|
|
|
|
|
|
|
|
|
Return the stored configuration, omitting `client_secret`.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :------------------------| :------------------------ |
|
|
|
|
|
| `GET` | `/azure/config` | `200 application/json` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request GET \
|
|
|
|
|
https://127.0.0.1:8200/v1/azure/config
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"subscription_id": "94ca80...",
|
|
|
|
|
"tenant_id": "d0ac7e...",
|
|
|
|
|
"client_id": "e607c4...",
|
|
|
|
|
"environment": "AzureGermanCloud"
|
|
|
|
|
},
|
|
|
|
|
...
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Delete Config
|
|
|
|
|
|
|
|
|
|
Deletes the stored Azure configuration and credentials.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `DELETE` | `/auth/azure/config` | `204 (empty body)` |
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
|
|
|
|
https://127.0.0.1:8200/v1/auth/azure/config
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Create/Update Role
|
|
|
|
|
|
2018-10-19 20:48:15 +00:00
|
|
|
|
Create or update a Vault role. Either `application_object_id` or
|
|
|
|
|
`azure_roles` must be provided, and these resources must exist for this
|
|
|
|
|
call to succeed. See the Azure secrets [roles docs][roles] for more
|
|
|
|
|
information about roles.
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :------------------------| :------------------------ |
|
|
|
|
|
| `POST` | `/azure/roles/:name` | `204 (empty body)` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2018-10-19 20:48:15 +00:00
|
|
|
|
- `azure_roles` (`string: ""`) - List of Azure roles to be assigned to the generated service
|
2018-08-28 02:42:02 +00:00
|
|
|
|
principal. The array must be in JSON format, properly escaped as a string. See [roles docs][roles]
|
|
|
|
|
for details on role definition.
|
2018-10-19 20:48:15 +00:00
|
|
|
|
- `application_object_id` (`string: ""`) - Application Object ID for an existing service principal that will
|
|
|
|
|
be used instead of creating dynamic service principals. If present, `azure_roles` will be ignored. See
|
|
|
|
|
[roles docs][roles] for details on role definition.
|
2018-08-16 19:10:56 +00:00
|
|
|
|
- `ttl` (`string: ""`) – Specifies the default TTL for service principals generated using this role.
|
|
|
|
|
Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
|
|
|
|
|
- `max_ttl` (`string: ""`) – Specifies the maximum TTL for service principals generated using this role. Accepts time
|
|
|
|
|
suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
2018-08-28 02:42:02 +00:00
|
|
|
|
"azure_roles": "[
|
2018-08-16 19:10:56 +00:00
|
|
|
|
{
|
2018-08-28 02:42:02 +00:00
|
|
|
|
\"role_name\": \"Contributor\",
|
|
|
|
|
\"scope\": \"/subscriptions/<uuid>/resourceGroup/Website\"
|
2018-08-16 19:10:56 +00:00
|
|
|
|
},
|
|
|
|
|
{
|
2018-08-28 02:42:02 +00:00
|
|
|
|
\"role_id\": \"/subscriptions/<uuid>/providers/Microsoft.Authorization/roleDefinitions/<uuid>\",
|
|
|
|
|
\"scope\": \"/subscriptions/<uuid>\"
|
2018-08-16 19:10:56 +00:00
|
|
|
|
}
|
2018-08-28 02:42:02 +00:00
|
|
|
|
]",
|
2018-08-16 19:10:56 +00:00
|
|
|
|
"ttl": 3600,
|
|
|
|
|
"max_ttl": "24h"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://127.0.0.1:8200/v1/azure/roles/my-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## List Roles
|
|
|
|
|
|
|
|
|
|
Lists all of the roles that are registered with the plugin.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :------------------------| :------------------------ |
|
|
|
|
|
| `LIST` | `/azure/roles` | `200 application/json` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
|
|
|
|
https://127.0.0.1:8200/v1/azure/roles
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"keys": [
|
|
|
|
|
"my-role-one",
|
|
|
|
|
"my-role-two"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Generate Credentials
|
|
|
|
|
|
|
|
|
|
This endpoint generates a new service principal based on the named role.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :------------------------| :------------------------ |
|
|
|
|
|
| `GET` | `/azure/creds/:name` | `200 application/json` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` (`string: <required>`) - Specifies the name of the role to create credentials against.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
http://127.0.0.1:8200/v1/azure/creds/my-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"client_id": "408bf248-dd4e-4be5-919a-7f6207a307ab",
|
|
|
|
|
"client_secret": "ad06228a-2db9-4e0a-8a5d-e047c7f32594",
|
|
|
|
|
...
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Revoking/Renewing Secrets
|
|
|
|
|
|
|
|
|
|
See docs on how to [renew](/api/system/leases.html#renew-lease) and [revoke](/api/system/leases.html#revoke-lease) leases.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[docs]: /docs/secrets/azure/index.html
|
|
|
|
|
[roles]: /docs/secrets/azure/index.html#roles
|