mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 15:11:07 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/docs/import/azurekv.mdx
Erica Thompson 0660ea6fac
Update README (#31244) 
* Update README

Let contributors know that docs will now be located in UDR

* Add comments to each mdx doc

Comment has been added to all mdx docs that are not partials

* chore: added changelog

changelog check failure

* wip: removed changelog

* Fix content errors

* Doc spacing

* Update website/content/docs/deploy/kubernetes/vso/helm.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

---------

Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2025-07-22 08:12:22 -07:00

107 lines
4.3 KiB
Plaintext
Raw Permalink Blame History

---
layout: docs
page_title: Azure Key Vault secret import source
description: The Azure Key Vault source imports secrets from Azure to Vault.
---
> [!IMPORTANT]
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
# Azure secret import source
Use the Azure importer to read secret data from Azure Key Vault into your Vault
instance. All secrets including expired ones will imported from the provided Azure Key Vault URI
## Before you start
- **You must know the relevant Azure credentials**. You can provide the credentials
as environment variables, as explicit arguments, or use dynamic credentials
from an existing [Azure secrets plugin](/vault/docs/secrets/azure) mount path.
## Step 1: Set Azure Identity permissions
To use Azure import, you must grant the associated Azure identity permission to read secrets
from the specified Key Vault:
```shell-session
"Get",
"List",
```
## Step 2: Define the Azure source
<Tabs>
<Tab heading="Static credentials">
The following configuration example uses Azure static credentials to
import secrets from Azure Key Vault:
```hcl
source_azure {
name = "my-azure-source-1"
key_vault_uri = "https://keyvault-1234abcd.vault.azure.net"
tenant_id = "<your tenant id>"
client_id = "<your client id>"
credentials_file = "/path/to/client-secret"
}
```
If `tenant_id`, `client_id` and `credentials_file` is set, then `vault_mount_path`, `vault_role_name`,`vault_namespace`,`vault_address` and `vault_credentials_file` must be unset.
</Tab>
<Tab heading="Dynamic credentials">
Alternatively, source credentials can also be derived dynamically using the [Azure Secret Engine](/vault/docs/secrets/azure)
This uses the Azure secrets engine configured at the given `vault_address` to generate dynamic secrets in order to scan secrets in Azure KeyVault.
```hcl
source_azure {
name = "my-azure-source-2"
vault_mount_path = "azure"
vault_role_name = "my-azure-role-1"
vault_namespace = "ns-1"
vault_address = "https://vault.example.com:8200"
vault_credentials_file = "/path/to/vault/token"
}
```
If one of `vault_mount_path`,`vault_role_name`, `vault_namespace`,`vault_address` or `vault_credentials_file` are set, then `tenant_id`, `client_id` and `credentials_file` must be unset.
</Tab>
</Tabs>
## Argument reference
Refer to the [HCL syntax](/vault/docs/import#hcl-syntax-1) for arguments common to all source types.
- `vault_mount_path` `(string: "")` - The Vault mount path to a pre-configured Azure
secrets engine used to generate dynamic credentials for the importer.
- `vault_role_name` `(string: "")` - Azure secrets plugin role used to generate
dynamic credentials for the importer. Only required for dynamic credentials.
- `vault_namespace` `(string: "")` - Vault namespace for the mount path
specified in `vault_mount_path`. Only required for dynamic credentials.
- `vault_address` `(string: "")` - The address of your Vault server. Only
required for dynamic credentials.
- `vault_credentials_file` `(string: "")` - Local path to a file containing a
valid token for the Vault server at `vault_address`. Only required for dynamic
credentials.
- `key_vault_uri` `(string: <required>)` - The URI of the Azure Key Vault you want to import from.
The following parameters are optional. If you leave these parameters unset,
Vault uses the default credential provider mechanisms, e.g. the credentials persisted to disk
by a preceding `az login`.
- `cloud_name` `(string: "AzureCloud")` - Azure cloud name of your credential provider. Leave unset to use `az login` credentials.
- `tenant_id` `(string: "")` - Tenant ID of your Azure credential provider. Leave unset to use `az login` credentials.
- `client_id` `(string: "")` - Client ID of your Azure credential provider. Leave unset to use `az login` credentials.
- `credentials_file` `(string: "")` - Path to a file on your Azure credential
provider with authentication credentials. Leave unset to use `az login`
credentials.
Reference in New Issue View Git Blame Copy Permalink