Adding information on required azure permissions (#4956)

2018-07-19 10:24:55 -04:00 · 2018-07-19 10:24:55 -04:00 · 6a169ab00d
parent bb057dd1df
commit 6a169ab00d
1 changed files with 4 additions and 0 deletions
--- a/website/source/docs/auth/azure.html.md
+++ b/website/source/docs/auth/azure.html.md
@ -26,6 +26,10 @@ The following documentation assumes that the method has been
 * A configured [Azure AD application](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications) which is used as the resource for generating MSI access tokens.
 * Client credentials (shared secret) for accessing the Azure Resource Manager with read access to compute endpoints. See [Azure AD Service to Service Client Credentials](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service)

+Required Azure API permissions to be granted to Vault user:
+* Microsoft.Compute/virtualMachines/*/read
+* Microsoft.Compute/virtualMachineScaleSets/*/read
+
 If Vault is hosted on Azure, Vault can use MSI to access Azure instead of a shared secret.  MSI must be [enabled](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/qs-configure-portal-windows-vm) on the VMs hosting Vault. 

 The next sections review how the authN/Z workflows work. If you