Update Vault Azure Secrets docs for permanent deletion feature (#17045)

* Update Vault Azure Secrets docs for permanent deletion feature

* Add changelog for vault azure doc update

* Update CL based on PR feedback

Co-authored-by: Devon Powley <dpowley@users.noreply.github.com>
This commit is contained in:
Devon Powley 2022-09-13 19:25:19 -04:00 committed by GitHub
parent 3163309130
commit bb0f93044f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 24 additions and 0 deletions

3
changelog/17045.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
secrets/azure: Adds option to permanently delete AzureAD objects created by Vault.
```

View File

@ -241,6 +241,8 @@ information about roles.
Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
- `max_ttl` (`string: ""`) Specifies the maximum TTL for service principals generated using this role. Accepts time - `max_ttl` (`string: ""`) Specifies the maximum TTL for service principals generated using this role. Accepts time
suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time. suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
- `permanently_delete` (`bool: false`) - Specifies whether to permanently delete Applications and Service Principals that are dynamically
created by Vault. If `application_object_id` is present, `permanently_delete` must be `false`.
### Sample Payload ### Sample Payload

View File

@ -183,6 +183,25 @@ $ cat az_groups.json
] ]
``` ```
### Permanently Delete Azure Objects
If dynamic service principals are used, the option to permanently delete the applications and service principals created by Vault may be configured on the Vault role.
When this option is enabled and a lease is expired or revoked, the application and service principal associated with the lease will be [permanently deleted](https://docs.microsoft.com/en-us/graph/api/directory-deleteditems-delete) from the Azure Active Directory.
As a result, these objects will not count toward the [quota](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#active-directory-limits) of total resources in an Azure tenant. When this option is not enabled
and a lease is expired or revoked, the application and service principal associated with the lease will be deleted, but not permanently. These objects will be available to restore for 30 days from deletion.
Example of role configuration:
```shell-session
$ vault write azure/roles/my-role permanently_delete=true ttl=1h azure_roles=-<<EOF
[
{
"role_name": "Contributor",
"scope": "/subscriptions/<uuid>/resourceGroups/Website"
}
]
EOF
```
## Authentication ## Authentication
The Azure secrets backend must have sufficient permissions to read Azure role information and manage The Azure secrets backend must have sufficient permissions to read Azure role information and manage