Add rotate root docs for azure secrets (#19187)

2023-02-15 13:07:42 -08:00 · 2023-02-15 13:07:42 -08:00 · 91446e129e
parent c6a455c92f
commit 91446e129e
2 changed files with 17 additions and 0 deletions
--- a/changelog/19187.txt
+++ b/changelog/19187.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+website/docs: Add rotate root documentation for azure secrets engine
+```
--- a/website/content/docs/secrets/azure.mdx
+++ b/website/content/docs/secrets/azure.mdx
@ -103,6 +103,20 @@ This endpoint generates a renewable set of credentials. The application can logi
 using the `client_id`/`client_secret` and will have access provided by configured service
 principal or the Azure roles set in the "my-role" configuration.

+## Root Credential Rotation
+
+If the mount is configured with credentials directly, the credential's key may be
+rotated to a Vault-generated value that is not accessible by the operator.
+This will ensure that only Vault is able to access the "root" user that Vault uses to
+manipulate dynamic & static credentials.
+
+```shell-session
+vault write -f azure/rotate-root
+```
+
+For more details on this operation, please see the
+[Root Credential Rotation](/vault/api-docs/secret/azure#rotate-root) API docs.
+
 ## Roles

 Vault roles let you configure either an existing service principal or a set of Azure roles, along with