Update Azure secrets engine to use MS Graph (#12629)

This commit is contained in:
Michael Golowka 2021-09-29 11:28:13 -06:00 committed by GitHub
parent f854b4446f
commit bee49a4c49
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 22 additions and 2 deletions

3
changelog/12629.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
secrets/azure: Adds support for using Microsoft Graph API since Azure Active Directory API is being removed in 2022. [#67](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/67)
```

2
go.mod
View File

@ -107,7 +107,7 @@ require (
github.com/hashicorp/vault-plugin-mock v0.16.1 github.com/hashicorp/vault-plugin-mock v0.16.1
github.com/hashicorp/vault-plugin-secrets-ad v0.10.0 github.com/hashicorp/vault-plugin-secrets-ad v0.10.0
github.com/hashicorp/vault-plugin-secrets-alicloud v0.9.0 github.com/hashicorp/vault-plugin-secrets-alicloud v0.9.0
github.com/hashicorp/vault-plugin-secrets-azure v0.10.0 github.com/hashicorp/vault-plugin-secrets-azure v0.6.3-0.20210924190759-58a034528e35
github.com/hashicorp/vault-plugin-secrets-gcp v0.10.2 github.com/hashicorp/vault-plugin-secrets-gcp v0.10.2
github.com/hashicorp/vault-plugin-secrets-gcpkms v0.9.0 github.com/hashicorp/vault-plugin-secrets-gcpkms v0.9.0
github.com/hashicorp/vault-plugin-secrets-kv v0.5.7-0.20210811133805-e060c2307b24 github.com/hashicorp/vault-plugin-secrets-kv v0.5.7-0.20210811133805-e060c2307b24

2
go.sum
View File

@ -751,6 +751,8 @@ github.com/hashicorp/vault-plugin-secrets-ad v0.10.0 h1:iMS1SfIQtPfvPbw24W8HbNBb
github.com/hashicorp/vault-plugin-secrets-ad v0.10.0/go.mod h1:4AN/0ynq1Krn7LhwzoP/roj9JRdxiuptPpktq7ftLjo= github.com/hashicorp/vault-plugin-secrets-ad v0.10.0/go.mod h1:4AN/0ynq1Krn7LhwzoP/roj9JRdxiuptPpktq7ftLjo=
github.com/hashicorp/vault-plugin-secrets-alicloud v0.9.0 h1:EhTRXoWCjM3suD1atK97R2wWHBr/aacYByRnjzZvFCI= github.com/hashicorp/vault-plugin-secrets-alicloud v0.9.0 h1:EhTRXoWCjM3suD1atK97R2wWHBr/aacYByRnjzZvFCI=
github.com/hashicorp/vault-plugin-secrets-alicloud v0.9.0/go.mod h1:SSkKpSTOMnX84PfgYiWHgwVg+YMhxHNjo+YCJGNBoZk= github.com/hashicorp/vault-plugin-secrets-alicloud v0.9.0/go.mod h1:SSkKpSTOMnX84PfgYiWHgwVg+YMhxHNjo+YCJGNBoZk=
github.com/hashicorp/vault-plugin-secrets-azure v0.6.3-0.20210924190759-58a034528e35 h1:EOw71K6RZcteApYrO4TfJeDcppRzOyCNRO7I66RzMbk=
github.com/hashicorp/vault-plugin-secrets-azure v0.6.3-0.20210924190759-58a034528e35/go.mod h1:Tqe5hI33oQ+bHLy/dE4zmvcJD1afRnjsrc5SjUgqvZ8=
github.com/hashicorp/vault-plugin-secrets-azure v0.10.0 h1:pJTWKVHYqfnlB3xg3XnnF9BOpj2/J7LC/e0RgiwkwKI= github.com/hashicorp/vault-plugin-secrets-azure v0.10.0 h1:pJTWKVHYqfnlB3xg3XnnF9BOpj2/J7LC/e0RgiwkwKI=
github.com/hashicorp/vault-plugin-secrets-azure v0.10.0/go.mod h1:4jCVjTG809NCQ8mrSnbBtX17gX1Iush+558BVO6MJeo= github.com/hashicorp/vault-plugin-secrets-azure v0.10.0/go.mod h1:4jCVjTG809NCQ8mrSnbBtX17gX1Iush+558BVO6MJeo=
github.com/hashicorp/vault-plugin-secrets-gcp v0.10.2 h1:+DtlYJTsrFRInQpAo09KkYN64scrextjBiTSunpluo8= github.com/hashicorp/vault-plugin-secrets-gcp v0.10.2 h1:+DtlYJTsrFRInQpAo09KkYN64scrextjBiTSunpluo8=

View File

@ -36,6 +36,14 @@ service principals. Environment variables will override any parameters set in th
environment variable. If not specified, Vault will use Azure Public Cloud. environment variable. If not specified, Vault will use Azure Public Cloud.
- `password_policy` `(string: "")` - Specifies a [password policy](/docs/concepts/password-policies) to - `password_policy` `(string: "")` - Specifies a [password policy](/docs/concepts/password-policies) to
use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.
- `use_microsoft_graph_api` `(bool: false)` - Indicates whether the secrets engine should use the
[Microsoft Graph API](https://docs.microsoft.com/en-us/graph/use-the-api). If set to false, this will use the Azure
Active Directory API which has been [deprecated by Microsoft and will be removed in 2022](https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-faq).
If set to true, the user specified via the `client_id` and `client_secret` will need to have the following permissions
under the Microsoft Graph API: `Application.ReadWrite.All`, `Directory.ReadWrite.All`, and `Group.ReadWrite.All`.
Aside from the permissions listed above, setting this to true should be transparent to users.
### Sample Payload ### Sample Payload
@ -46,7 +54,8 @@ service principals. Environment variables will override any parameters set in th
"client_id": "e607c4...", "client_id": "e607c4...",
"client_secret": "9a6346...", "client_secret": "9a6346...",
"environment": "AzureGermanCloud", "environment": "AzureGermanCloud",
"password_policy": "azure_policy" "password_policy": "azure_policy",
"use_microsoft_graph_api": true
} }
``` ```

View File

@ -21,6 +21,12 @@ If an existing service principal is specified as part of the role configuration,
a new password will be dynamically generated instead of a new service principal. a new password will be dynamically generated instead of a new service principal.
The password will be deleted when the lease is revoked. The password will be deleted when the lease is revoked.
~> Microsoft has deprecated their Azure Active Directory API and will be removing it in
2022. If you are currently using this secret engine, you will need to update the
credentials to include Microsoft Graph API permissions and specify the
`use_microsoft_graph_api` configuration value as true. See the
[API Docs](/api-docs/secret/azure#use_microsoft_graph_api) for more details.
## Setup ## Setup
Most secrets engines must be configured in advance before they can perform their Most secrets engines must be configured in advance before they can perform their