From b4e54110080a6a3de013bd7a0698eef153f52ea0 Mon Sep 17 00:00:00 2001 From: Devon Powley <46845760+dpowley@users.noreply.github.com> Date: Tue, 13 Sep 2022 19:25:19 -0400 Subject: [PATCH] Update Vault Azure Secrets docs for permanent deletion feature (#17045) * Update Vault Azure Secrets docs for permanent deletion feature * Add changelog for vault azure doc update * Update CL based on PR feedback Co-authored-by: Devon Powley --- changelog/17045.txt | 3 +++ website/content/api-docs/secret/azure.mdx | 2 ++ website/content/docs/secrets/azure.mdx | 19 +++++++++++++++++++ 3 files changed, 24 insertions(+) create mode 100644 changelog/17045.txt diff --git a/changelog/17045.txt b/changelog/17045.txt new file mode 100644 index 0000000000..600641dbe0 --- /dev/null +++ b/changelog/17045.txt @@ -0,0 +1,3 @@ +```release-note:improvement +secrets/azure: Adds option to permanently delete AzureAD objects created by Vault. +``` diff --git a/website/content/api-docs/secret/azure.mdx b/website/content/api-docs/secret/azure.mdx index 7c00102d57..3cee9179b8 100644 --- a/website/content/api-docs/secret/azure.mdx +++ b/website/content/api-docs/secret/azure.mdx @@ -241,6 +241,8 @@ information about roles. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. - `max_ttl` (`string: ""`) – Specifies the maximum TTL for service principals generated using this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time. +- `permanently_delete` (`bool: false`) - Specifies whether to permanently delete Applications and Service Principals that are dynamically + created by Vault. If `application_object_id` is present, `permanently_delete` must be `false`. ### Sample Payload diff --git a/website/content/docs/secrets/azure.mdx b/website/content/docs/secrets/azure.mdx index 332afc480f..f766d999c2 100644 --- a/website/content/docs/secrets/azure.mdx +++ b/website/content/docs/secrets/azure.mdx @@ -183,6 +183,25 @@ $ cat az_groups.json ] ``` +### Permanently Delete Azure Objects +If dynamic service principals are used, the option to permanently delete the applications and service principals created by Vault may be configured on the Vault role. +When this option is enabled and a lease is expired or revoked, the application and service principal associated with the lease will be [permanently deleted](https://docs.microsoft.com/en-us/graph/api/directory-deleteditems-delete) from the Azure Active Directory. +As a result, these objects will not count toward the [quota](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#active-directory-limits) of total resources in an Azure tenant. When this option is not enabled +and a lease is expired or revoked, the application and service principal associated with the lease will be deleted, but not permanently. These objects will be available to restore for 30 days from deletion. + +Example of role configuration: + +```shell-session +$ vault write azure/roles/my-role permanently_delete=true ttl=1h azure_roles=-</resourceGroups/Website" + } + ] +EOF +``` + ## Authentication The Azure secrets backend must have sufficient permissions to read Azure role information and manage