ec620a7765
* implement mdx remote * fix an unfenced code block * fix partials path Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
103 lines
4 KiB
Plaintext
103 lines
4 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Azure Key Vault - Seals - Configuration
|
|
sidebar_title: Azure Key Vault
|
|
description: >-
|
|
The Azure Key Vault seal configures Vault to use Azure Key Vault as the seal
|
|
wrapping
|
|
|
|
mechanism.
|
|
---
|
|
|
|
# `azurekeyvault` Seal
|
|
|
|
The Azure Key Vault seal configures Vault to use Azure Key Vault as the seal
|
|
wrapping mechanism. The Azure Key Vault seal is activated by one of the following:
|
|
|
|
- The presence of a `seal "azurekeyvault"` block in Vault's configuration file.
|
|
- The presence of the environment variable `VAULT_SEAL_TYPE` set to `azurekeyvault`.
|
|
If enabling via environment variable, all other required values specific to
|
|
Key Vault (i.e. `VAULT_AZUREKEYVAULT_VAULT_NAME`, etc.) must be also supplied, as
|
|
well as all other Azure-related environment variables that lends to successful
|
|
authentication (i.e. `AZURE_TENANT_ID`, etc.).
|
|
|
|
## `azurekeyvault` Example
|
|
|
|
This example shows configuring Azure Key Vault seal through the Vault
|
|
configuration file by providing all the required values:
|
|
|
|
```hcl
|
|
seal "azurekeyvault" {
|
|
tenant_id = "46646709-b63e-4747-be42-516edeaf1e14"
|
|
client_id = "03dc33fc-16d9-4b77-8152-3ec568f8af6e"
|
|
client_secret = "DUJDS3..."
|
|
vault_name = "hc-vault"
|
|
key_name = "vault_key"
|
|
}
|
|
```
|
|
|
|
## `azurekeyvault` Parameters
|
|
|
|
These parameters apply to the `seal` stanza in the Vault configuration file:
|
|
|
|
- `tenant_id` `(string: <required>)`: The tenant id for the Azure Active Directory organization. May
|
|
also be specified by the `AZURE_TENANT_ID` environment variable.
|
|
|
|
- `client_id` `(string: <required or MSI>)`: The client id for credentials to query the Azure APIs.
|
|
May also be specified by the `AZURE_CLIENT_ID` environment variable.
|
|
|
|
- `client_secret` `(string: <required or MSI>)`: The client secret for credentials to query the Azure APIs.
|
|
May also be specified by the `AZURE_CLIENT_SECRET` environment variable.
|
|
|
|
- `environment` `(string: "AZUREPUBLICCLOUD")`: The Azure Cloud environment API endpoints to use. May also
|
|
be specified by the `AZURE_ENVIRONMENT` environment variable.
|
|
|
|
- `vault_name` `(string: <required>)`: The Key Vault vault to use the encryption keys for encryption and
|
|
decryption. May also be specified by the `VAULT_AZUREKEYVAULT_VAULT_NAME` environment variable.
|
|
|
|
- `key_name` `(string: <required>)`: The Key Vault key to use for encryption and decryption. May also be specified by the
|
|
`VAULT_AZUREKEYVAULT_KEY_NAME` environment variable.
|
|
|
|
## Authentication
|
|
|
|
Authentication-related values must be provided, either as environment
|
|
variables or as configuration parameters.
|
|
|
|
Azure authentication values:
|
|
|
|
- `AZURE_TENANT_ID`
|
|
- `AZURE_CLIENT_ID`
|
|
- `AZURE_CLIENT_SECRET`
|
|
- `AZURE_ENVIRONMENT`
|
|
|
|
~> **Note:** If Vault is hosted on Azure, Vault can use Managed Service
|
|
Identities (MSI) to access Azure instead of an environment and shared client id
|
|
and secret. MSI must be
|
|
[enabled](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/qs-configure-portal-windows-vm)
|
|
on the VMs hosting Vault, and it is the preferred configuration since MSI
|
|
prevents your Azure credentials from being stored as clear text. Refer to the
|
|
[Production
|
|
Hardening](https://learn.hashicorp.com/vault/day-one/production-hardening) guide
|
|
for more best practices.
|
|
|
|
## `azurekeyvault` Environment Variables
|
|
|
|
Alternatively, the Azure Key Vault seal can be activated by providing the following
|
|
environment variables:
|
|
|
|
- `VAULT_AZUREKEYVAULT_VAULT_NAME`
|
|
- `VAULT_AZUREKEYVAULT_KEY_NAME`
|
|
|
|
## Key Rotation
|
|
|
|
This seal supports rotating keys defined in Azure Key Vault. Key metadata is
|
|
stored with the encrypted data to ensure the correct key is used during
|
|
decryption operations. Simply [set up Azure Key Vault with key
|
|
rotation](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-key-rotation-log-monitoring)
|
|
using Azure Automation Account and Vault will recognize newly rotated keys.
|
|
|
|
## Learn
|
|
|
|
Refer to the [Auto-unseal using Azure Key Vault](https://learn.hashicorp.com/vault/operations/autounseal-azure-keyvault)
|
|
guide for a step-by-step tutorial.
|