diff --git a/changelog/19187.txt b/changelog/19187.txt new file mode 100644 index 000000000..c04234a1b --- /dev/null +++ b/changelog/19187.txt @@ -0,0 +1,3 @@ +```release-note:improvement +website/docs: Add rotate root documentation for azure secrets engine +``` diff --git a/website/content/docs/secrets/azure.mdx b/website/content/docs/secrets/azure.mdx index b972c3b2e..c8d2fc0dd 100644 --- a/website/content/docs/secrets/azure.mdx +++ b/website/content/docs/secrets/azure.mdx @@ -103,6 +103,20 @@ This endpoint generates a renewable set of credentials. The application can logi using the `client_id`/`client_secret` and will have access provided by configured service principal or the Azure roles set in the "my-role" configuration. +## Root Credential Rotation + +If the mount is configured with credentials directly, the credential's key may be +rotated to a Vault-generated value that is not accessible by the operator. +This will ensure that only Vault is able to access the "root" user that Vault uses to +manipulate dynamic & static credentials. + +```shell-session +vault write -f azure/rotate-root +``` + +For more details on this operation, please see the +[Root Credential Rotation](/vault/api-docs/secret/azure#rotate-root) API docs. + ## Roles Vault roles let you configure either an existing service principal or a set of Azure roles, along with