2018-03-22 22:28:42 +00:00
---
layout: "docs"
page_title: "Azure - Auth Methods"
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
sidebar_title: "Azure"
2018-03-22 22:28:42 +00:00
sidebar_current: "docs-auth-azure"
description: |-
The azure auth method plugin allows automated authentication of Azure Active
Directory.
---
# Azure Auth Method
The `azure` auth method allows authentication against Vault using
Azure Active Directory credentials. It treats Azure as a Trusted Third Party
and expects a [JSON Web Token (JWT) ](https://tools.ietf.org/html/rfc7519 )
signed by Azure Active Directory for the configured tenant.
Currently supports authentication for:
* [Azure Managed Service Identity (MSI) ](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview )
## Prerequisites:
The following documentation assumes that the method has been
[mounted ](/docs/plugin/index.html ) at `auth/azure` .
* A configured [Azure AD application ](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications ) which is used as the resource for generating MSI access tokens.
* Client credentials (shared secret) for accessing the Azure Resource Manager with read access to compute endpoints. See [Azure AD Service to Service Client Credentials ](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service )
2018-07-19 14:24:55 +00:00
Required Azure API permissions to be granted to Vault user:
2018-07-19 14:36:09 +00:00
* `Microsoft.Compute/virtualMachines/*/read`
* `Microsoft.Compute/virtualMachineScaleSets/*/read`
2018-07-19 14:24:55 +00:00
2018-04-27 15:47:06 +00:00
If Vault is hosted on Azure, Vault can use MSI to access Azure instead of a shared secret. MSI must be [enabled ](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/qs-configure-portal-windows-vm ) on the VMs hosting Vault.
2018-03-22 22:28:42 +00:00
The next sections review how the authN/Z workflows work. If you
have already reviewed these sections, here are some quick links to:
* [Usage ](#usage )
* [API documentation ](/api/auth/azure/index.html ) docs.
## Authentication
### Via the CLI
The default path is `/auth/azure` . If this auth method was enabled at a different
path, specify `auth/my-path/login` instead.
```text
$ vault write auth/azure/login \
role="dev-role" \
jwt="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
subscription_id="12345-..." \
resource_group_name="test-group" \
vm_name="test-vm"
```
2019-01-07 15:03:22 +00:00
The `role` and `jwt` parameters are required. When using bound_service_principal_ids and bound_groups in the token roles, all the information is required in the JWT. When using other bound_* parameters, calls to Azure APIs will be made and subscription id, resource group name, and vm name are all required and can be obtained through instance metadata.
2018-03-22 22:28:42 +00:00
2019-01-30 20:13:39 +00:00
For example:
```text
$ vault write auth/azure/login role="dev-role" \
jwt="$(curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01& resource=https%3A%2F%2Fvault.hashicorp.com%2F' -H Metadata:true | jq -r '.access_token')" \
subscription_id=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .subscriptionId') \
resource_group_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .resourceGroupName') \
vm_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .name')
```
2018-03-22 22:28:42 +00:00
### Via the API
The default endpoint is `auth/azure/login` . If this auth method was enabled
at a different path, use that value instead of `azure` .
```sh
$ curl \
--request POST \
--data '{"role": "dev-role", "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}' \
2018-04-27 15:47:06 +00:00
https://127.0.0.1:8200/v1/auth/azure/login
2018-03-22 22:28:42 +00:00
```
The response will contain the token at `auth.client_token` :
```json
{
"auth": {
"client_token": "f33f8c72-924e-11f8-cb43-ac59d697597c",
"accessor": "0e9e354a-520f-df04-6867-ee81cae3d42d",
"policies": [
"default",
"dev",
"prod"
],
"lease_duration": 2764800,
"renewable": true
}
}
```
## Configuration
Auth methods must be configured in advance before machines can authenticate.
These steps are usually completed by an operator or configuration management
tool.
### Via the CLI
1. Enable Azure authentication in Vault:
```text
$ vault auth enable azure
```
1. Configure the Azure auth method:
```text
$ vault write auth/azure/config \
tenant_id= 7cd1f227-ca67-4fc6-a1a4-9888ea7f388c \
resource=https://vault.hashicorp.com \
client_id=dd794de4-4c6c-40b3-a930-d84cd32e9699 \
client_secret=IT3B2XfZvWnfB98s1cie8EMe7zWg483Xy8zY004=
```
For the complete list of configuration options, please see the API
documentation.
1. Create a role:
```text
$ vault write auth/azure/role/dev-role \
policies="prod,dev" \
bound_subscription_ids=6a1d5988-5917-4221-b224-904cd7e24a25 \
bound_resource_groups=vault
```
Roles are associated with an authentication type/entity and a set of Vault
policies. Roles are configured with constraints specific to the
authentication type, as well as overall constraints and configuration for
the generated auth tokens.
2018-04-27 15:47:06 +00:00
For the complete list of role options, please see the [API documentation ](/api/auth/azure/index.html ).
2018-03-22 22:28:42 +00:00
### Via the API
1. Enable Azure authentication in Vault:
```sh
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data '{"type": "azure"}' \
2018-04-27 15:47:06 +00:00
https://127.0.0.1:8200/v1/sys/auth/azure
2018-03-22 22:28:42 +00:00
```
1. Configure the Azure auth method:
```sh
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data '{"tenant_id": "...", "resource": "..."}' \
2018-04-27 15:47:06 +00:00
https://127.0.0.1:8200/v1/auth/azure/config
2018-03-22 22:28:42 +00:00
```
1. Create a role:
```sh
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data '{"policies": ["dev", "prod"], ...}' \
2018-04-27 15:47:06 +00:00
https://127.0.0.1:8200/v1/auth/azure/role/dev-role
2018-03-22 22:28:42 +00:00
```
### Plugin Setup
~> The following section is only relevant if you decide to enable the azure auth
method as an external plugin. The azure plugin method is integrated into Vault as
a builtin method by default.
Assuming you have saved the binary `vault-plugin-auth-azure` to some folder and
configured the [plugin directory ](/docs/internals/plugins.html#plugin-directory )
for your server at `path/to/plugins` :
1. Enable the plugin in the catalog:
```text
2018-11-14 17:17:12 +00:00
$ vault write sys/plugins/catalog/auth/azure-auth \
2018-03-22 22:28:42 +00:00
command="vault-plugin-auth-azure" \
2018-10-04 16:51:54 +00:00
sha256="..."
2018-03-22 22:28:42 +00:00
```
1. Enable the azure auth method as a plugin:
```text
2018-11-14 17:17:12 +00:00
$ vault auth enable -path=azure azure-auth
2018-03-22 22:28:42 +00:00
```
## API
2018-04-27 15:47:06 +00:00
The Azure Auth Plugin has a full HTTP API. Please see the [API documentation]
2018-03-22 22:28:42 +00:00
(/api/auth/azure/index.html) for more details.
