backport of commit 4811ef9cc3885f83e204aea86083589b22c19d62 (#22025)
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
This commit is contained in:
parent
94dc0d67e0
commit
08187d2ca4
|
@ -237,6 +237,9 @@ service principals.
|
|||
| Application.ReadWrite.OwnedBy | Application |
|
||||
| GroupMember.ReadWrite.All | Application |
|
||||
|
||||
~> **Note**: If you plan to use the [rotate root](/vault/api-docs/secret/azure#rotate-root)
|
||||
credentials API, you'll need to change `Application.ReadWrite.OwnedBy` to `Application.ReadWrite.All`.
|
||||
|
||||
#### Existing Service Principals
|
||||
|
||||
| Permission Name | Type |
|
||||
|
@ -250,9 +253,9 @@ The following Azure [role assignments](https://learn.microsoft.com/en-us/azure/r
|
|||
must be granted in order for the secrets engine to manage role assignments for service
|
||||
principles it creates.
|
||||
|
||||
| Role | Scope | Security Principal |
|
||||
| ----- | ------------ | ------------------------------------------- |
|
||||
| Owner | Subscription | Service Principal ID given in configuration |
|
||||
| Role | Scope | Security Principal |
|
||||
|------------------------------------------------| ------------ | ------------------------------------------- |
|
||||
| [User Access Administrator][user_access_admin] | Subscription | Service Principal ID given in configuration |
|
||||
|
||||
## Choosing between dynamic or existing service principals
|
||||
|
||||
|
@ -320,3 +323,4 @@ for more details.
|
|||
[api]: /vault/api-docs/secret/azure
|
||||
[config]: /vault/api-docs/secret/azure#configure-access
|
||||
[repo]: https://github.com/hashicorp/vault-plugin-secrets-azure
|
||||
[user_access_admin]: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator
|
||||
|
|
Loading…
Reference in New Issue