a3dfde5cec
* conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
6.1 KiB
| layout | page_title | sidebar_title | sidebar_current | description |
|---|---|---|---|---|
| docs | Azure - Auth Methods | Azure | docs-auth-azure | The azure auth method plugin allows automated authentication of Azure Active Directory. |
Azure Auth Method
The azure auth method allows authentication against Vault using
Azure Active Directory credentials. It treats Azure as a Trusted Third Party
and expects a JSON Web Token (JWT)
signed by Azure Active Directory for the configured tenant.
Currently supports authentication for:
Prerequisites:
The following documentation assumes that the method has been
mounted at auth/azure.
- A configured Azure AD application which is used as the resource for generating MSI access tokens.
- Client credentials (shared secret) for accessing the Azure Resource Manager with read access to compute endpoints. See Azure AD Service to Service Client Credentials
Required Azure API permissions to be granted to Vault user:
Microsoft.Compute/virtualMachines/*/readMicrosoft.Compute/virtualMachineScaleSets/*/read
If Vault is hosted on Azure, Vault can use MSI to access Azure instead of a shared secret. MSI must be enabled on the VMs hosting Vault.
The next sections review how the authN/Z workflows work. If you have already reviewed these sections, here are some quick links to:
- Usage
- API documentation docs.
Authentication
Via the CLI
The default path is /auth/azure. If this auth method was enabled at a different
path, specify auth/my-path/login instead.
$ vault write auth/azure/login \
role="dev-role" \
jwt="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
subscription_id="12345-..." \
resource_group_name="test-group" \
vm_name="test-vm"
The role and jwt parameters are required. When using bound_service_pricipal_ids and bound_groups in the token roles, all the information is required in the JWT. When using other bound_* parameters, calls to Azure APIs will be made and subscription id, resource group name, and vm name are all required and can be obtained through instance metadata.
Via the API
The default endpoint is auth/azure/login. If this auth method was enabled
at a different path, use that value instead of azure.
$ curl \
--request POST \
--data '{"role": "dev-role", "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}' \
https://127.0.0.1:8200/v1/auth/azure/login
The response will contain the token at auth.client_token:
{
"auth": {
"client_token": "f33f8c72-924e-11f8-cb43-ac59d697597c",
"accessor": "0e9e354a-520f-df04-6867-ee81cae3d42d",
"policies": [
"default",
"dev",
"prod"
],
"lease_duration": 2764800,
"renewable": true
}
}
Configuration
Auth methods must be configured in advance before machines can authenticate. These steps are usually completed by an operator or configuration management tool.
Via the CLI
-
Enable Azure authentication in Vault:
$ vault auth enable azure -
Configure the Azure auth method:
$ vault write auth/azure/config \ tenant_id= 7cd1f227-ca67-4fc6-a1a4-9888ea7f388c \ resource=https://vault.hashicorp.com \ client_id=dd794de4-4c6c-40b3-a930-d84cd32e9699 \ client_secret=IT3B2XfZvWnfB98s1cie8EMe7zWg483Xy8zY004=For the complete list of configuration options, please see the API documentation.
-
Create a role:
$ vault write auth/azure/role/dev-role \ policies="prod,dev" \ bound_subscription_ids=6a1d5988-5917-4221-b224-904cd7e24a25 \ bound_resource_groups=vaultRoles are associated with an authentication type/entity and a set of Vault policies. Roles are configured with constraints specific to the authentication type, as well as overall constraints and configuration for the generated auth tokens.
For the complete list of role options, please see the API documentation.
Via the API
-
Enable Azure authentication in Vault:
$ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data '{"type": "azure"}' \ https://127.0.0.1:8200/v1/sys/auth/azure -
Configure the Azure auth method:
$ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data '{"tenant_id": "...", "resource": "..."}' \ https://127.0.0.1:8200/v1/auth/azure/config -
Create a role:
$ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data '{"policies": ["dev", "prod"], ...}' \ https://127.0.0.1:8200/v1/auth/azure/role/dev-role
Plugin Setup
~> The following section is only relevant if you decide to enable the azure auth method as an external plugin. The azure plugin method is integrated into Vault as a builtin method by default.
Assuming you have saved the binary vault-plugin-auth-azure to some folder and
configured the plugin directory
for your server at path/to/plugins:
-
Enable the plugin in the catalog:
$ vault write sys/plugins/catalog/azure-auth \ command="vault-plugin-auth-azure" \ sha256="..." -
Enable the azure auth method as a plugin:
$ vault auth enable -path=azure -plugin-name=azure-auth plugin
API
The Azure Auth Plugin has a full HTTP API. Please see the [API documentation] (/api/auth/azure/index.html) for more details.