auth/azure: Documents config env vars and fixes resource used in examples (#13641)

This commit is contained in:
Austin Gebauer 2022-01-13 10:41:40 -08:00 committed by GitHub
parent e5dd039c4f
commit 691e440fac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 6 deletions

View file

@ -29,17 +29,25 @@ virtual machine.
### Parameters
- `tenant_id` `(string: <required>)` - The tenant id for the Azure Active Directory organization.
- `resource` `(string: <required>)` - The configured URL for the application registered in Azure Active Directory.
This value can also be provided with the `AZURE_TENANT_ID` environment variable.
- `resource` `(string: <required>)` - The resource URL for the application registered in Azure Active Directory.
The value is expected to match the audience (`aud` claim) of the [JWT](/api-docs/auth/azure#jwt)
provided to the login API. See the [resource](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http)
parameter for how the audience is set when requesting a JWT access token from the Azure Instance Metadata Service (IMDS) endpoint.
This value can also be provided with the `AZURE_AD_RESOURCE` environment variable.
- `environment` `(string: 'AzurePublicCloud')` - The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.
This value can also be provided with the `AZURE_ENVIRONMENT` environment variable.
- `client_id` `(string: '')` - The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.
This value can also be provided with the `AZURE_CLIENT_ID` environment variable.
- `client_secret` `(string: '')` - The client secret for credentials to query the Azure APIs.
This value can also be provided with the `AZURE_CLIENT_SECRET` environment variable.
### Sample Payload
```json
{
"tenant_id": "kd83...",
"resource": "https://vault.hashicorp.com/",
"resource": "https://management.azure.com/",
"client_id": "12ud...",
"client_secret": "DUJDS3..."
}
@ -77,7 +85,7 @@ $ curl \
{
"data":{
"tenant_id": "kd83...",
"resource": "https://vault.hashicorp.com/",
"resource": "https://management.azure.com/",
"client_id": "12ud...",
"client_secret": "DUJDS3..."
},
@ -261,7 +269,9 @@ entity and then authorizes the entity for the given role.
- `role` `(string: <required>)` - Name of the role against which the login is being
attempted.
- `jwt` `(string: <required>)` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI.
- `jwt` `(string: <required>)` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT)
from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token)
for details on how to acquire a JWT access token through instance metadata.
- `subscription_id` `(string: <required>)` - The subscription ID for the machine that
generated the MSI token. This information can be obtained through instance
metadata.

View file

@ -61,7 +61,7 @@ For example:
```shell-session
$ vault write auth/azure/login role="dev-role" \
jwt="$(curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.hashicorp.com%2F' -H Metadata:true | jq -r '.access_token')" \
jwt="$(curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true | jq -r '.access_token')" \
subscription_id=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .subscriptionId') \
resource_group_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .resourceGroupName') \
vm_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .name')
@ -112,7 +112,7 @@ tool.
```text
$ vault write auth/azure/config \
tenant_id=7cd1f227-ca67-4fc6-a1a4-9888ea7f388c \
resource=https://vault.hashicorp.com \
resource=https://management.azure.com/ \
client_id=dd794de4-4c6c-40b3-a930-d84cd32e9699 \
client_secret=IT3B2XfZvWnfB98s1cie8EMe7zWg483Xy8zY004=
```