2018-08-16 19:10:56 +00:00
|
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
|
layout: api
|
|
|
|
|
page_title: Azure - Secrets Engines - HTTP API
|
|
|
|
|
description: This is the API documentation for the Vault Azure secrets engine.
|
2018-08-16 19:10:56 +00:00
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# Azure Secrets Engine (API)
|
|
|
|
|
|
|
|
|
|
This is the API documentation for the Vault Azure
|
|
|
|
|
secrets engine. For general information about the usage and operation of
|
|
|
|
|
the Azure secrets engine, please see the main [Azure secrets documentation][docs].
|
|
|
|
|
|
|
|
|
|
This documentation assumes the Azure secrets engine is enabled at the `/azure` path
|
|
|
|
|
in Vault. Since it is possible to mount secrets engines at any path, please
|
|
|
|
|
update your API calls accordingly.
|
|
|
|
|
|
|
|
|
|
## Configure Access
|
|
|
|
|
|
|
|
|
|
Configures the credentials required for the plugin to perform API calls
|
|
|
|
|
to Azure. These credentials will be used to query roles and create/delete
|
|
|
|
|
service principals. Environment variables will override any parameters set in the config.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------- |
|
|
|
|
|
| `POST` | `/azure/config` |
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
|
|
|
|
- `subscription_id` (`string: <required>`) - The subscription id for the Azure Active Directory.
|
|
|
|
|
This value can also be provided with the AZURE_SUBSCRIPTION_ID environment variable.
|
|
|
|
|
- `tenant_id` (`string: <required>`) - The tenant id for the Azure Active Directory.
|
|
|
|
|
This value can also be provided with the AZURE_TENANT_ID environment variable.
|
|
|
|
|
- `client_id` (`string:""`) - The OAuth2 client id to connect to Azure. This value can also be provided
|
2020-03-31 19:21:16 +00:00
|
|
|
|
with the AZURE_CLIENT_ID environment variable. See [authentication](/docs/secrets/azure#authentication) for more details.
|
2018-08-16 19:10:56 +00:00
|
|
|
|
- `client_secret` (`string:""`) - The OAuth2 client secret to connect to Azure. This value can also be
|
2020-08-07 00:11:18 +00:00
|
|
|
|
provided with the AZURE_CLIENT_SECRET environment variable. See [authentication](/docs/secrets/azure#authentication) for more details.
|
2018-08-16 19:10:56 +00:00
|
|
|
|
- `environment` (`string:""`) - The Azure environment. This value can also be provided with the AZURE_ENVIRONMENT
|
|
|
|
|
environment variable. If not specified, Vault will use Azure Public Cloud.
|
2020-06-18 19:25:59 +00:00
|
|
|
|
- `password_policy` `(string: "")` - Specifies a [password policy](/docs/concepts/password-policies) to
|
|
|
|
|
use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.
|
2022-02-17 20:09:36 +00:00
|
|
|
|
- `use_microsoft_graph_api` `(bool: true)` - Indicates whether the secrets engine should use the
|
2022-08-29 19:55:37 +00:00
|
|
|
|
[Microsoft Graph API](https://docs.microsoft.com/en-us/graph/use-the-api).
|
2021-09-29 17:28:13 +00:00
|
|
|
|
|
|
|
|
|
If set to true, the user specified via the `client_id` and `client_secret` will need to have the following permissions
|
2022-01-06 20:32:52 +00:00
|
|
|
|
under the **Microsoft Graph API**:
|
|
|
|
|
|
|
|
|
|
| Permission Name | Type |
|
|
|
|
|
| ----------------------------- | ----------- |
|
|
|
|
|
| Application.Read.All | Application |
|
|
|
|
|
| Application.ReadWrite.All | Application |
|
|
|
|
|
| Application.ReadWrite.OwnedBy | Application |
|
|
|
|
|
| Directory.Read.All | Application |
|
|
|
|
|
| Directory.ReadWrite.All | Application |
|
|
|
|
|
| Group.Read.All | Application |
|
|
|
|
|
| Group.ReadWrite.All | Application |
|
|
|
|
|
| GroupMember.Read.All | Application |
|
|
|
|
|
| GroupMember.ReadWrite.All | Application |
|
|
|
|
|
|
|
|
|
|
| Permission Name | Type |
|
|
|
|
|
| -------------------------- | --------- |
|
|
|
|
|
| Application.Read.All | Delegated |
|
|
|
|
|
| Application.ReadWrite.All | Delegated |
|
|
|
|
|
| Directory.AccessAsUser.All | Delegated |
|
|
|
|
|
| Directory.Read.All | Delegated |
|
|
|
|
|
| Directory.ReadWrite.All | Delegated |
|
|
|
|
|
| Group.Read.All | Delegated |
|
|
|
|
|
| Group.ReadWrite.All | Delegated |
|
|
|
|
|
| GroupMember.Read.All | Delegated |
|
|
|
|
|
| GroupMember.ReadWrite.All | Delegated |
|
|
|
|
|
|
|
|
|
|
Aside from the permissions listed above, setting this to true should be transparent to users.
|
2021-09-29 17:28:13 +00:00
|
|
|
|
|
2021-11-27 17:27:11 +00:00
|
|
|
|
- `root_password_ttl` `(string: 182d)` - Specifies how long the root password is valid for in Azure when
|
2022-06-13 12:51:07 +00:00
|
|
|
|
rotate-root generates a new client secret. Uses [duration format strings](/docs/concepts/duration-format).
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"subscription_id": "94ca80...",
|
|
|
|
|
"tenant_id": "d0ac7e...",
|
|
|
|
|
"client_id": "e607c4...",
|
|
|
|
|
"client_secret": "9a6346...",
|
2020-06-18 19:25:59 +00:00
|
|
|
|
"environment": "AzureGermanCloud",
|
2021-09-29 17:28:13 +00:00
|
|
|
|
"password_policy": "azure_policy",
|
2021-11-05 17:04:25 +00:00
|
|
|
|
"use_microsoft_graph_api": true,
|
|
|
|
|
"root_password_ttl": "48d"
|
2018-08-16 19:10:56 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-06-18 19:25:59 +00:00
|
|
|
|
<Tabs>
|
|
|
|
|
<Tab heading="cURL">
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2018-08-16 19:10:56 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://127.0.0.1:8200/v1/azure/config
|
|
|
|
|
```
|
2020-12-17 21:53:33 +00:00
|
|
|
|
|
2020-06-18 19:25:59 +00:00
|
|
|
|
</Tab>
|
|
|
|
|
<Tab heading="CLI">
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ vault write azure/config \
|
|
|
|
|
subscription_id="94ca80..." \
|
|
|
|
|
tenant_id="d0ac7e...",
|
|
|
|
|
client_id="e607c4...",
|
|
|
|
|
client_secret="9a6346...",
|
|
|
|
|
environment="AzureGermanCloud",
|
|
|
|
|
password_policy="azure_policy"
|
|
|
|
|
```
|
2020-12-17 21:53:33 +00:00
|
|
|
|
|
2020-06-18 19:25:59 +00:00
|
|
|
|
</Tab>
|
|
|
|
|
</Tabs>
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
|
|
|
|
## Read Config
|
|
|
|
|
|
|
|
|
|
Return the stored configuration, omitting `client_secret`.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------- |
|
|
|
|
|
| `GET` | `/azure/config` |
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-06-18 19:25:59 +00:00
|
|
|
|
<Tabs>
|
|
|
|
|
<Tab heading="cURL">
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2018-08-16 19:10:56 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request GET \
|
|
|
|
|
https://127.0.0.1:8200/v1/azure/config
|
|
|
|
|
```
|
2020-12-17 21:53:33 +00:00
|
|
|
|
|
2020-06-18 19:25:59 +00:00
|
|
|
|
</Tab>
|
|
|
|
|
<Tab heading="CLI">
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ vault read azure/config
|
|
|
|
|
```
|
2020-12-17 21:53:33 +00:00
|
|
|
|
|
2020-06-18 19:25:59 +00:00
|
|
|
|
</Tab>
|
|
|
|
|
</Tabs>
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"subscription_id": "94ca80...",
|
|
|
|
|
"tenant_id": "d0ac7e...",
|
|
|
|
|
"client_id": "e607c4...",
|
|
|
|
|
"environment": "AzureGermanCloud"
|
|
|
|
|
},
|
|
|
|
|
...
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Delete Config
|
|
|
|
|
|
|
|
|
|
Deletes the stored Azure configuration and credentials.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :------- | :-------------- |
|
|
|
|
|
| `DELETE` | `/azure/config` |
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-06-18 19:25:59 +00:00
|
|
|
|
<Tabs>
|
|
|
|
|
<Tab heading="cURL">
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2018-08-16 19:10:56 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
2019-12-19 18:24:37 +00:00
|
|
|
|
https://127.0.0.1:8200/v1/azure/config
|
2018-08-16 19:10:56 +00:00
|
|
|
|
```
|
2020-12-17 21:53:33 +00:00
|
|
|
|
|
2020-06-18 19:25:59 +00:00
|
|
|
|
</Tab>
|
|
|
|
|
<Tab heading="CLI">
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ vault delete azure/config
|
|
|
|
|
```
|
2020-12-17 21:53:33 +00:00
|
|
|
|
|
2020-06-18 19:25:59 +00:00
|
|
|
|
</Tab>
|
|
|
|
|
</Tabs>
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
2021-11-05 17:04:25 +00:00
|
|
|
|
## Rotate Root
|
|
|
|
|
|
2021-11-24 06:38:06 +00:00
|
|
|
|
This endpoint generates a new client secret for the root account defined in the config. The
|
2021-11-05 17:04:25 +00:00
|
|
|
|
value generated will only be known by Vault.
|
|
|
|
|
|
2021-11-24 06:38:06 +00:00
|
|
|
|
~> Due to the eventual consistency of Microsoft Azure client secret APIs, the plugin
|
2022-01-06 20:32:52 +00:00
|
|
|
|
may briefly stop authenticating to Azure as the password propagates through their
|
|
|
|
|
datacenters.
|
2021-11-05 17:04:25 +00:00
|
|
|
|
|
2022-01-06 20:32:52 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------- |
|
2021-11-05 17:04:25 +00:00
|
|
|
|
| `POST` | `/azure/rotate-root` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
There are no parameters to this operation.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
http://127.0.0.1:8200/v1/azure/rotate-root
|
2021-11-24 06:38:06 +00:00
|
|
|
|
```
|
2021-11-05 17:04:25 +00:00
|
|
|
|
|
2018-08-16 19:10:56 +00:00
|
|
|
|
## Create/Update Role
|
|
|
|
|
|
2018-10-19 20:48:15 +00:00
|
|
|
|
Create or update a Vault role. Either `application_object_id` or
|
|
|
|
|
`azure_roles` must be provided, and these resources must exist for this
|
|
|
|
|
call to succeed. See the Azure secrets [roles docs][roles] for more
|
|
|
|
|
information about roles.
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------- |
|
|
|
|
|
| `POST` | `/azure/roles/:name` |
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2018-10-19 20:48:15 +00:00
|
|
|
|
- `azure_roles` (`string: ""`) - List of Azure roles to be assigned to the generated service
|
2020-01-18 00:18:09 +00:00
|
|
|
|
principal. The array must be in JSON format, properly escaped as a string. See [roles docs][roles]
|
|
|
|
|
for details on role definition.
|
2019-10-15 15:58:22 +00:00
|
|
|
|
- `azure_groups` (`string: ""`) - List of Azure groups that the generated service principal will be
|
2020-01-18 00:18:09 +00:00
|
|
|
|
assigned to. The array must be in JSON format, properly escaped as a string. See [groups docs][groups]
|
|
|
|
|
for more details.
|
2018-10-19 20:48:15 +00:00
|
|
|
|
- `application_object_id` (`string: ""`) - Application Object ID for an existing service principal that will
|
2020-01-18 00:18:09 +00:00
|
|
|
|
be used instead of creating dynamic service principals. If present, `azure_roles` will be ignored. See
|
|
|
|
|
[roles docs][roles] for details on role definition.
|
2018-08-16 19:10:56 +00:00
|
|
|
|
- `ttl` (`string: ""`) – Specifies the default TTL for service principals generated using this role.
|
2020-01-18 00:18:09 +00:00
|
|
|
|
Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
|
2018-08-16 19:10:56 +00:00
|
|
|
|
- `max_ttl` (`string: ""`) – Specifies the maximum TTL for service principals generated using this role. Accepts time
|
2020-01-18 00:18:09 +00:00
|
|
|
|
suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
|
2022-09-13 23:25:19 +00:00
|
|
|
|
- `permanently_delete` (`bool: false`) - Specifies whether to permanently delete Applications and Service Principals that are dynamically
|
|
|
|
|
created by Vault. If `application_object_id` is present, `permanently_delete` must be `false`.
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
2018-08-28 02:42:02 +00:00
|
|
|
|
"azure_roles": "[
|
2018-08-16 19:10:56 +00:00
|
|
|
|
{
|
2018-08-28 02:42:02 +00:00
|
|
|
|
\"role_name\": \"Contributor\",
|
2022-06-02 17:58:50 +00:00
|
|
|
|
\"scope\": \"/subscriptions/<uuid>/resourceGroups/Website\"
|
2018-08-16 19:10:56 +00:00
|
|
|
|
},
|
|
|
|
|
{
|
2018-08-28 02:42:02 +00:00
|
|
|
|
\"role_id\": \"/subscriptions/<uuid>/providers/Microsoft.Authorization/roleDefinitions/<uuid>\",
|
|
|
|
|
\"scope\": \"/subscriptions/<uuid>\"
|
2018-08-16 19:10:56 +00:00
|
|
|
|
}
|
2018-08-28 02:42:02 +00:00
|
|
|
|
]",
|
2018-08-16 19:10:56 +00:00
|
|
|
|
"ttl": 3600,
|
|
|
|
|
"max_ttl": "24h"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2018-08-16 19:10:56 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://127.0.0.1:8200/v1/azure/roles/my-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## List Roles
|
|
|
|
|
|
|
|
|
|
Lists all of the roles that are registered with the plugin.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------- |
|
|
|
|
|
| `LIST` | `/azure/roles` |
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-06-18 19:25:59 +00:00
|
|
|
|
<Tabs>
|
|
|
|
|
<Tab heading="cURL">
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2018-08-16 19:10:56 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
|
|
|
|
https://127.0.0.1:8200/v1/azure/roles
|
|
|
|
|
```
|
2020-12-17 21:53:33 +00:00
|
|
|
|
|
2020-06-18 19:25:59 +00:00
|
|
|
|
</Tab>
|
|
|
|
|
<Tab heading="CLI">
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ vault list azure/roles
|
|
|
|
|
```
|
2020-12-17 21:53:33 +00:00
|
|
|
|
|
2020-06-18 19:25:59 +00:00
|
|
|
|
</Tab>
|
|
|
|
|
</Tabs>
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"keys": ["my-role-one", "my-role-two"]
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-08-16 19:10:56 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Generate Credentials
|
|
|
|
|
|
|
|
|
|
This endpoint generates a new service principal based on the named role.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------- |
|
|
|
|
|
| `GET` | `/azure/creds/:name` |
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` (`string: <required>`) - Specifies the name of the role to create credentials against.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-06-18 19:25:59 +00:00
|
|
|
|
<Tabs>
|
|
|
|
|
<Tab heading="cURL">
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2018-08-16 19:10:56 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
http://127.0.0.1:8200/v1/azure/creds/my-role
|
|
|
|
|
```
|
2020-12-17 21:53:33 +00:00
|
|
|
|
|
2020-06-18 19:25:59 +00:00
|
|
|
|
</Tab>
|
|
|
|
|
<Tab heading="CLI">
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ vault read azure/creds/my-role
|
|
|
|
|
```
|
2020-12-17 21:53:33 +00:00
|
|
|
|
|
2020-06-18 19:25:59 +00:00
|
|
|
|
</Tab>
|
|
|
|
|
</Tabs>
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"client_id": "408bf248-dd4e-4be5-919a-7f6207a307ab",
|
2020-06-18 19:25:59 +00:00
|
|
|
|
"client_secret": "9PfdaDP9qcf98ggw8WSttfVreFcN4q9c4m4x",
|
2018-08-16 19:10:56 +00:00
|
|
|
|
...
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Revoking/Renewing Secrets
|
|
|
|
|
|
2020-01-22 20:05:41 +00:00
|
|
|
|
See docs on how to [renew](/api/system/leases#renew-lease) and [revoke](/api/system/leases#revoke-lease) leases.
|
2018-08-16 19:10:56 +00:00
|
|
|
|
|
2020-01-22 20:05:41 +00:00
|
|
|
|
[docs]: /docs/secrets/azure
|
|
|
|
|
[roles]: /docs/secrets/azure#roles
|
|
|
|
|
[groups]: /docs/secrets/azure#azure-groups
|