2021-03-23 21:14:25 +00:00
|
|
|
---
|
|
|
|
layout: docs
|
|
|
|
page_title: Azure Key Vault - Key Management - Secrets Engines
|
|
|
|
description: Azure Key Vault is a supported KMS provider of the Key Management secrets engine.
|
|
|
|
---
|
|
|
|
|
|
|
|
# Azure Key Vault
|
|
|
|
|
|
|
|
The Key Management secrets engine supports lifecycle management of keys in named
|
|
|
|
[Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/) instances.
|
|
|
|
This is accomplished by configuring a KMS provider resource with the `azurekeyvault`
|
|
|
|
provider and other provider-specific parameter values.
|
|
|
|
|
|
|
|
The following sections describe how to properly configure the secrets engine to enable
|
|
|
|
the functionality.
|
|
|
|
|
|
|
|
## Authentication
|
|
|
|
|
|
|
|
The Key Management secrets engine must be configured with credentials that have sufficient
|
|
|
|
permissions to manage keys in an Azure Key Vault instance. The authentication parameters are
|
|
|
|
described in the [credentials](/api/secret/key-management/azurekeyvault#credentials) section
|
|
|
|
of the API documentation. The authentication parameters will be set with the following order
|
|
|
|
of precedence:
|
|
|
|
|
|
|
|
1. Environment variables
|
|
|
|
2. [KMS provider credentials](/api/secret/key-management/azurekeyvault#credentials)
|
|
|
|
3. [Managed Service Identity (MSI)](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview)
|
|
|
|
|
|
|
|
If the client ID or secret are not provided and Vault is running on an Azure VM, Vault will attempt
|
|
|
|
to use MSI to access Azure. Note that when MSI is used, the tenant ID must still be explicitly provided
|
|
|
|
by the configuration or environment variable.
|
|
|
|
|
|
|
|
An Azure Key Vault [access policy](https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal)
|
|
|
|
determines whether a given service principal, namely an application or user group, can perform certain
|
|
|
|
operations on a Key Vault instance. The service principal associated with the provided credentials must
|
|
|
|
have an access policy on the Key Vault instance with the following minimum key permissions:
|
|
|
|
|
|
|
|
- `create`
|
|
|
|
- `delete`
|
|
|
|
- `get`
|
|
|
|
- `import`
|
|
|
|
- `update`
|
|
|
|
|
|
|
|
## Configuration
|
|
|
|
|
|
|
|
The following is an example of how to configure the KMS provider resource using the Vault CLI:
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
```text
|
|
|
|
$ vault write keymgmt/kms/example-kms \
|
|
|
|
provider="azurekeyvault" \
|
|
|
|
key_collection="keyvault-name" \
|
|
|
|
credentials=client_id="a0454cd1-e28e-405e-bc50-7477fa8a00b7" \
|
|
|
|
credentials=client_secret="eR%HizuCVEpAKgeaUEx" \
|
|
|
|
credentials=tenant_id="cd4bf224-d114-4f96-9bbc-b8f45751c43f"
|
|
|
|
```
|
2021-03-23 21:14:25 +00:00
|
|
|
|
|
|
|
Refer to the Azure Key Vault [API documentation](/api/secret/key-management/azurekeyvault)
|
|
|
|
for a detailed description of individual configuration parameters.
|
|
|
|
|
|
|
|
## Key Transfer Specification
|
|
|
|
|
|
|
|
Keys are securely transferred from the secrets engine to Azure key vault instances in accordance
|
|
|
|
with the Azure [Bring Your Own Key](https://docs.microsoft.com/en-us/azure/key-vault/keys/byok-specification)
|
|
|
|
specification.
|
2021-11-16 19:27:08 +00:00
|
|
|
|
|
|
|
## Key Purpose Compatability
|
|
|
|
|
|
|
|
The following table defines which key [purposes](/api-docs/secret/key-management#purpose) can be used
|
|
|
|
for each key type supported by GCP Cloud KMS.
|
|
|
|
|
|
|
|
| Key Type | Purpose |
|
|
|
|
| -------------- | ------------------------------------------------------- |
|
|
|
|
| `rsa-2048` | [All purposes](/api-docs/secret/key-management#purpose) |
|
|
|
|
| `rsa-3072` | [All purposes](/api-docs/secret/key-management#purpose) |
|
|
|
|
| `rsa-4096` | [All purposes](/api-docs/secret/key-management#purpose) |
|