luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity

auth/azure: Documents config env vars and fixes resource used in examples (#13641)

Browse source
This commit is contained in:
Austin Gebauer 2022-01-13 10:41:40 -08:00 committed by GitHub
parent e5dd039c4f
commit 691e440fac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
website/content/api-docs/auth/azure.mdx
View file

@ -29,17 +29,25 @@ virtual machine.
### Parameters ### Parameters
- `tenant_id` `(string: <required>)` - The tenant id for the Azure Active Directory organization. - `tenant_id` `(string: <required>)` - The tenant id for the Azure Active Directory organization.
- `resource` `(string: <required>)` - The configured URL for the application registered in Azure Active Directory. This value can also be provided with the `AZURE_TENANT_ID` environment variable.
- `resource` `(string: <required>)` - The resource URL for the application registered in Azure Active Directory.
The value is expected to match the audience (`aud` claim) of the [JWT](/api-docs/auth/azure#jwt)
provided to the login API. See the [resource](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http)
parameter for how the audience is set when requesting a JWT access token from the Azure Instance Metadata Service (IMDS) endpoint.
This value can also be provided with the `AZURE_AD_RESOURCE` environment variable.
- `environment` `(string: 'AzurePublicCloud')` - The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. - `environment` `(string: 'AzurePublicCloud')` - The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.
This value can also be provided with the `AZURE_ENVIRONMENT` environment variable.
- `client_id` `(string: '')` - The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required. - `client_id` `(string: '')` - The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.
This value can also be provided with the `AZURE_CLIENT_ID` environment variable.
- `client_secret` `(string: '')` - The client secret for credentials to query the Azure APIs. - `client_secret` `(string: '')` - The client secret for credentials to query the Azure APIs.
This value can also be provided with the `AZURE_CLIENT_SECRET` environment variable.
### Sample Payload ### Sample Payload
```json ```json
{ {
"tenant_id": "kd83...", "tenant_id": "kd83...",
"resource": "https://vault.hashicorp.com/", "resource": "https://management.azure.com/",
"client_id": "12ud...", "client_id": "12ud...",
"client_secret": "DUJDS3..." "client_secret": "DUJDS3..."
} }
@ -77,7 +85,7 @@ $ curl \
{ {
"data":{ "data":{
"tenant_id": "kd83...", "tenant_id": "kd83...",
"resource": "https://vault.hashicorp.com/", "resource": "https://management.azure.com/",
"client_id": "12ud...", "client_id": "12ud...",
"client_secret": "DUJDS3..." "client_secret": "DUJDS3..."
}, },
@ -261,7 +269,9 @@ entity and then authorizes the entity for the given role.
- `role` `(string: <required>)` - Name of the role against which the login is being - `role` `(string: <required>)` - Name of the role against which the login is being
attempted. attempted.
- `jwt` `(string: <required>)` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI. - `jwt` `(string: <required>)` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT)
from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token)
for details on how to acquire a JWT access token through instance metadata.
- `subscription_id` `(string: <required>)` - The subscription ID for the machine that - `subscription_id` `(string: <required>)` - The subscription ID for the machine that
generated the MSI token. This information can be obtained through instance generated the MSI token. This information can be obtained through instance
metadata. metadata.

4
website/content/docs/auth/azure.mdx
View file

@ -61,7 +61,7 @@ For example:
```shell-session ```shell-session
$ vault write auth/azure/login role="dev-role" \ $ vault write auth/azure/login role="dev-role" \
jwt="$(curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.hashicorp.com%2F' -H Metadata:true | jq -r '.access_token')" \ jwt="$(curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true | jq -r '.access_token')" \
subscription_id=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .subscriptionId') \ subscription_id=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .subscriptionId') \
resource_group_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .resourceGroupName') \ resource_group_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .resourceGroupName') \
vm_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .name') vm_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .name')
@ -112,7 +112,7 @@ tool.
```text ```text
$ vault write auth/azure/config \ $ vault write auth/azure/config \
tenant_id=7cd1f227-ca67-4fc6-a1a4-9888ea7f388c \ tenant_id=7cd1f227-ca67-4fc6-a1a4-9888ea7f388c \
resource=https://vault.hashicorp.com \ resource=https://management.azure.com/ \
client_id=dd794de4-4c6c-40b3-a930-d84cd32e9699 \ client_id=dd794de4-4c6c-40b3-a930-d84cd32e9699 \
client_secret=IT3B2XfZvWnfB98s1cie8EMe7zWg483Xy8zY004= client_secret=IT3B2XfZvWnfB98s1cie8EMe7zWg483Xy8zY004=
``` ```