mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-14 02:27:02 +02:00
7e5f2cebb7
* VAULT-14644 first draft of changes for WIF support * VAULT-14644 Potentially finalize Agent work for WIF support * VAULT-14644 finishing touches * VAULT-14644 finishing touches * VAULT-14644 remove extra log * VAULT-14644 better docs * VAULT-14644 changelog * VAULT-14644 review feedback
64 lines
2.5 KiB
Plaintext
64 lines
2.5 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Vault Auto-Auth Azure Method
|
|
description: Azure Method for Vault Auto-Auth
|
|
---
|
|
|
|
# Vault Auto-Auth Azure method
|
|
|
|
The `azure` method reads in Azure instance credentials and uses them to
|
|
authenticate with the [Azure Auth
|
|
method](/vault/docs/auth/azure). It reads most
|
|
parameters needed for authentication directly from instance information based
|
|
on the value of the `resource` parameter.
|
|
|
|
## Configuration
|
|
|
|
- `role` `(string: required)` - The role to authenticate against on Vault
|
|
|
|
- `authenticate_from_environment` `(boolean: false)` - If set to true, will attempt to make an Azure
|
|
identity object through Azure specific environment variables, in priority order and as specified [in
|
|
Azure documentation][environment-variables]. Will work seamlessly with Azure
|
|
[Workload Identity][workload-identity] and others.
|
|
|
|
~> Note: If `authenticate_from_environment` is set to true, `object_id`, and `client_id` will be ignored
|
|
in favour of that authentication approach.
|
|
|
|
- `scope` `(string: optional)` - The scope to use when obtaining a token. If not supplied, will default to
|
|
the value used for `resource` appended with "`/.default`" appended as a suffix. For more information on
|
|
scopes in Azure, see [this document][scopes].
|
|
|
|
- `resource` `(string: required)` - The resource name to use when getting identity information.
|
|
|
|
- `object_id` `(string: optional)` - The object ID of the user-assigned managed identity to use
|
|
when acquiring an [access token][azure-access-token]. Only one of `object_id` or `client_id`
|
|
may be provided.
|
|
|
|
- `client_id` `(string: optional)` - The client ID of the user-assigned managed identity to use
|
|
when acquiring an [access token][azure-access-token]. Only one of `object_id` or `client_id`
|
|
may be provided.
|
|
|
|
|
|
## Example configuration
|
|
|
|
Example client auto-auth configuration block for an [Azure Workload Identity][workload-identity]:
|
|
|
|
```hcl
|
|
auto_auth {
|
|
method {
|
|
type = "azure"
|
|
config = {
|
|
authenticate_from_environment = true
|
|
role = "dev-role"
|
|
resource = "https://management.azure.com/"
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
|
|
[azure-access-token]: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
|
|
[environment-variables]: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#readme-environment-variables
|
|
[workload-identity]: https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview
|
|
[scopes]: https://learn.microsoft.com/en-us/azure/active-directory/develop/scopes-oidc
|