2018-08-16 19:10:56 +00:00
---
layout: "docs"
page_title: "Azure - Secrets Engine"
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
sidebar_title: "Azure"
2018-08-16 19:10:56 +00:00
sidebar_current: "docs-secrets-azure"
description: |-
The Azure Vault secrets engine dynamically generates Azure
service principals and role assignments.
---
# Azure Secrets Engine
The Azure secrets engine dynamically generates Azure service principals and role
assignments. Vault roles can be mapped to one or more Azure roles, providing a
simple, flexible way to manage the permissions granted to generated service
principals.
Each service principal is associated with a Vault lease. When the lease expires
(either during normal revocation or through early revocation), the service
principal is automatically deleted.
2018-10-19 20:48:15 +00:00
If an existing service principal is specified as part of the role configuration,
a new password will be dynamically generated instead of a new service principal.
The password will be deleted when the lease is revoked.
2018-08-16 19:10:56 +00:00
## Setup
Most secrets engines must be configured in advance before they can perform their
functions. These steps are usually completed by an operator or configuration
management tool.
1. Enable the Azure secrets engine:
```text
$ vault secrets enable azure
Success! Enabled the azure secrets engine at: azure/
```
By default, the secrets engine will mount at the name of the engine. To
enable the secrets engine at a different path, use the `-path` argument.
1. Configure the secrets engine with account credentials:
```text
$ vault write azure/config \
subscription_id=$AZURE_SUBSCRIPTION_ID \
tenant_id=$AZURE_TENANT_ID \
client_id=$AZURE_CLIENT_ID \
2018-09-06 22:31:19 +00:00
client_secret=$AZURE_CLIENT_SECRET
2018-08-16 19:10:56 +00:00
Success! Data written to: azure/config
```
If you are running Vault inside an Azure VM with MSI enabled, `client_id` and
`client_secret` may be omitted. For more information on authentication, see the [authentication ](#authentication ) section below.
2018-10-19 20:48:15 +00:00
1. Configure a role. A role may be set up with either an existing service principal, or
a set of Azure roles that will be assigned to a dynamically created service principal.
To configure a role called "my-role" with an existing service principal:
```text
$ vault write azure/roles/my-role application_object_id=< existing_app_obj_id > ttl=1h
```
2018-08-16 19:10:56 +00:00
2019-04-02 15:09:07 +00:00
Alternatively, to configure the role to create a new service principal with Azure roles:
2018-08-16 19:10:56 +00:00
```text
2018-09-06 22:31:19 +00:00
$ vault write azure/roles/my-role ttl=1h azure_roles=-< < EOF
2018-08-16 19:10:56 +00:00
[
{
"role_name": "Contributor",
2018-09-07 23:56:02 +00:00
"scope": "/subscriptions/< uuid > /resourceGroups/Website"
2018-08-16 19:10:56 +00:00
}
]
EOF
```
2018-10-19 20:48:15 +00:00
Roles may also have their own TTL configuration that is separate from the mount's
TTL. For more information on roles see the [roles ](#roles ) section below.
2018-08-16 19:10:56 +00:00
## Usage
After the secrets engine is configured and a user/machine has a Vault token with
2018-10-19 20:48:15 +00:00
the proper permissions, it can generate credentials. The usage pattern is the same
whether an existing or dynamic service principal is used.
2018-08-16 19:10:56 +00:00
To generate a credential using the "my-role" role:
```text
$ vault read azure/creds/my-role
Key Value
--- -----
lease_id azure/creds/sp_role/1afd0969-ad23-73e2-f974-962f7ac1c2b4
lease_duration 60m
lease_renewable true
client_id 408bf248-dd4e-4be5-919a-7f6207a307ab
client_secret ad06228a-2db9-4e0a-8a5d-e047c7f32594
```
2018-10-19 20:48:15 +00:00
This endpoint generates a renewable set of credentials. The application can login
using the `client_id` /`client_secret` and will have access provided by configured service
principal or the Azure roles set in the "my-role" configuration.
2018-08-16 19:10:56 +00:00
## Roles
2018-10-19 20:48:15 +00:00
Vault roles let you configure either an existing service principal or a set of Azure roles, along with
role-specific TTL parameters. If an existing service principal is not provided, the configured Azure
roles will be assigned to a newly created service principal. The Vault role may optionally specify
role-specific `ttl` and/or `max_ttl` values. When the lease is created, the more restrictive of the
mount or role TTL value will be used.
### Application Object IDs
If an existing service principal is to be used, the Application Object ID must be set on the Vault role.
This ID can be found by inspecting the desired Application with the `az` CLI tool, or via the Azure Portal. Note
that the Application **Object** ID must be provided, not the Application ID.
2018-08-16 19:10:56 +00:00
### Azure Roles
2018-10-19 20:48:15 +00:00
If dynamic service principals are used, Azure roles must be configured on the Vault role.
2018-08-16 19:10:56 +00:00
Azure roles are provided as a JSON list, with each element describing an Azure role and scope to be assigned.
Azure roles may be specified using the `role_name` parameter ("Owner"), or `role_id`
("/subscriptions/.../roleDefinitions/...").
`role_id` is the definitive ID that's used during Vault operation; `role_name` is a convenience during
role management operations. All roles *must exist* when the configuration is written or the operation will fail. The role lookup priority is:
1. If `role_id` is provided, it validated and the corresponding `role_name` updated.
1. If only `role_name` is provided, a case-insensitive search-by-name is made, succeeding
only if *exactly one* matching role is found. The `role_id` field will updated with the matching role ID.
The `scope` must be provided for every role assignment.
Example of role configuration:
```text
2018-09-06 22:31:19 +00:00
$ vault write azure/roles/my-role ttl=1h max_ttl=24h azure_roles=-< < EOF
2018-08-16 19:10:56 +00:00
[
{
"role_name": "Contributor",
2018-09-07 23:56:02 +00:00
"scope": "/subscriptions/< uuid > /resourceGroups/Website"
2018-08-16 19:10:56 +00:00
},
{
"role_id": "/subscriptions/< uuid > /providers/Microsoft.Authorization/roleDefinitions/< uuid > ",
"scope": "/subscriptions/< uuid > "
},
{
"role_name": "This won't matter as it will be overwritten",
"role_id": "/subscriptions/< uuid > /providers/Microsoft.Authorization/roleDefinitions/< uuid > ",
2018-09-07 23:56:02 +00:00
"scope": "/subscriptions/< uuid > /resourceGroups/Database"
2018-08-16 19:10:56 +00:00
}
]
EOF
```
## Authentication
The Azure secrets backend must have sufficient permissions to read Azure role information and manage
service principals. The authentication parameters can be set in the backend configuration or as environment variables. Environment variables will take precedence.
The individual parameters are described in the [configuration][config] section of the API docs.
If the client ID or secret are not present and Vault is running on and Azure VM, Vault will attempt to use
[Managed Service Identity (MSI) ](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview ) to access Azure. Note that when MSI is used, tenant and subscription IDs must still be explicitly provided in the configuration or environment variables.
The following Azure roles and Azure Active Directory (AAD) permissions are required, regardless of which authentication method is used:
- "Owner" role for the subscription scope
- "Read and write all applications" permission in AAD
These permissions can be configured through the Azure Portal, CLI tool, or PowerShell.
2019-05-31 02:25:30 +00:00
In your Azure subscription, your account must have `Microsoft.Authorization/*/Write`
access to assign an AD app to a role. This action is granted through the [Owner ](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner ) role or
[User Access Administrator ](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator ) role. If your account is assigned to the Contributor role, you
don't have adequate permission. You will receive an error when attempting to assign the service
principal to a role.
2018-08-16 19:10:56 +00:00
2018-10-19 20:48:15 +00:00
## Choosing between dynamic or existing service principals
Dynamic service principals are preferred if the desired Azure resources can be provided
via the RBAC system and Azure roles defined in the Vault role. This form of credential is
completely decoupled from any other clients, is not subject to permission changes after
issuance, and offers the best audit granularity.
Access to some Azure services cannot be provided with the RBAC system, however. In these
cases, an existing service principal can be set up with the necessary access, and Vault
can create new passwords for this service principal. Any changes to the service principal
permissions affect all clients. Furthermore, Azure does not provide any logging with
regard to _which_ credential was used for an operation.
2018-10-19 22:43:45 +00:00
An important limitation when using an existing service principal is that Azure limits the
2018-10-19 20:48:15 +00:00
number of passwords for a single Application. This limit is based on Application object
size and isn't firmly specified, but in practice hundreds of passwords can be issued per
Application. An error will be returned if the object size is reached. This limit can be
managed by reducing the role TTL, or by creating another Vault role against a different
Azure service principal configured with the same permissions.
2018-08-16 19:10:56 +00:00
## Additional Notes
- **If a referenced Azure role doesn't exist, a credential will not be generated.**
Service principals will only be generated if *all* role assignments are successful.
This is important to note if you're using custom Azure role definitions that might be deleted
at some point.
- Azure roles are assigned only once, when the service principal is created. If the
Vault role changes the list of Azure roles, these changes will not be reflected in
any existing service principal, even after token renewal.
- The time required to issue a credential is roughly proportional to the number of
Azure roles that must be assigned. This operation make take some time (10s of seconds
are common, and over a minute has been seen).
- Service principal credential timeouts are not used. Vault will revoke access by
deleting the service principal.
2018-10-19 20:48:15 +00:00
- The Application Name for dynamic service principals will be prefixed with `vault-` . Similarly
the `keyId` of any passwords added to an existing service principal will begin with
`ffffff` . These may be used to search for Vault-created credentials using the `az` tool
or Portal.
2018-08-16 19:10:56 +00:00
## Help & Support
The Azure secrets engine is written as an external Vault plugin and
thus exists outside the main Vault repository. It is automatically bundled with
Vault releases, but the code is managed separately.
Please report issues, add feature requests, and submit contributions to the
[vault-plugin-secrets-azure repo][repo] on GitHub.
## API
The Azure secrets engine has a full HTTP API. Please see the [Azure secrets engine API docs][api]
for more details.
[api]: /api/secret/azure/index.html
[config]: /api/secret/azure/index.html#configure
[repo]: https://github.com/hashicorp/vault-plugin-secrets-azure
