The azure auth method allows authentication against Vault using Azure Active Directory credentials. It treats Azure as a Trusted Third Party and expects a JSON Web Token (JWT) signed by Azure Active Directory for the configured tenant.
This method supports authentication for system-assigned and user-assigned managed identities. See Managed identities for Azure resources for more information about these resources.
This documentation assumes the Azure method is mounted at the /auth/azure path in Vault. Since it is possible to enable auth methods at any location, please update your API calls accordingly.
Prerequisites:
The Azure auth method requires client credentials to access Azure APIs. The following are required to configure the auth method:
A configured Azure AD application which is used as the resource for generating MSI access tokens.
If Vault is hosted on Azure, Vault can use MSI to access Azure instead of a shared secret. A managed identity must be enabled on the resource that acquires the access token.
The following Azure role assignments must be granted to the Azure AD application in order for the auth method to access Azure APIs during authentication.
Role assignments
~> Note: The role assignments are only required when the vm_name, vmss_name, or resource_id parameters are used on login.
The role and jwt parameters are required. When using bound_service_principal_ids and bound_group_ids in the token roles, all the information is required in the JWT (except for vm_name, vmss_name, resource_id). When using other bound_* parameters, calls to Azure APIs will be made and subscription_id, resource_group_name, and vm_name/vmss_name are all required and can be obtained through instance metadata.
Auth methods must be configured in advance before machines can authenticate. These steps are usually completed by an operator or configuration management tool.
Roles are associated with an authentication type/entity and a set of Vault policies. Roles are configured with constraints specific to the authentication type, as well as overall constraints and configuration for the generated auth tokens.
For the complete list of role options, please see the API documentation.
There are two types of managed identities in Azure: System-assigned and User-assigned. System-assigned identities are unique to every virtual machine in Azure. If the resources using Azure auth are recreated frequently, using system-assigned identities could result in many Vault entities being created. For environments with high ephemeral workloads, user-assigned identities are recommended.
Limitations
The TTL of the access token returned by Azure AD for a managed identity is 24hrs and is not configurable. See (limitations of using managed identities) for more info.
Azure debug logs
The Azure auth plugin supports debug logging which includes additional information about requests and responses from the Azure API.
To enable the Azure debug logs, set the following environment variable on the Vault server:
AZURE_GO_SDK_LOG_LEVEL=DEBUG
API
The Azure Auth Plugin has a full HTTP API. Please see the API documentation for more details.
Code example
The following example demonstrates the Azure auth method to authenticate with Vault.
packagemainimport ("context""fmt" vault "github.com/hashicorp/vault/api" auth "github.com/hashicorp/vault/api/auth/azure")// Fetches a key-value secret (kv-v2) after authenticating to Vault via Azure authentication.// This example assumes you have a configured Azure AD Application.funcgetSecretWithAzureAuth() (string, error) { config := vault.DefaultConfig() // modify for more granular configuration client, err := vault.NewClient(config)if err !=nil {return"", fmt.Errorf("unable to initialize Vault client: %w", err) } azureAuth, err := auth.NewAzureAuth("dev-role-azure", )if err !=nil {return"", fmt.Errorf("unable to initialize Azure auth method: %w", err) } authInfo, err := client.Auth().Login(context.Background(), azureAuth)if err !=nil {return"", fmt.Errorf("unable to login to Azure auth method: %w", err) }if authInfo ==nil {return"", fmt.Errorf("no auth info was returned after login") }// get secret from the default mount path for KV v2 in dev mode, "secret" secret, err := client.KVv2("secret").Get(context.Background(), "creds")if err !=nil {return"", fmt.Errorf("unable to read secret: %w", err) }// data map can contain more than one key-value pair,// in this case we're just grabbing one of them value, ok := secret.Data["password"].(string)if!ok {return"", fmt.Errorf("value type assertion failed: %T%#v", secret.Data["password"], secret.Data["password"]) }return value, nil}
usingSystem;usingSystem.Collections.Generic;usingSystem.IO;usingSystem.Net;usingSystem.Net.Http;usingSystem.Text;usingNewtonsoft.Json;usingVaultSharp;usingVaultSharp.V1.AuthMethods;usingVaultSharp.V1.AuthMethods.Azure;usingVaultSharp.V1.Commons;namespaceExamples{publicclassAzureAuthExample {publicclassInstanceMetadata {publicstring name { get; set; }publicstring resourceGroupName { get; set; }publicstring subscriptionId { get; set; } }conststring MetadataEndPoint ="http://169.254.169.254/metadata/instance?api-version=2017-08-01";conststring AccessTokenEndPoint ="http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"; /// <summary> /// Fetches a key-value secret (kv-v2) after authenticating to Vault via Azure authentication. /// This example assumes you have a configured Azure AD Application. /// </summary>publicstringGetSecretWithAzureAuth() {string vaultAddr =Environment.GetEnvironmentVariable("VAULT_ADDR");if(String.IsNullOrEmpty(vaultAddr)) {thrownewSystem.ArgumentNullException("Vault Address"); }string roleName =Environment.GetEnvironmentVariable("VAULT_ROLE");if(String.IsNullOrEmpty(roleName)) {thrownewSystem.ArgumentNullException("Vault Role Name"); }string jwt =GetJWT();InstanceMetadata metadata =GetMetadata();IAuthMethodInfo authMethod =newAzureAuthMethodInfo(roleName: roleName, jwt: jwt, subscriptionId:metadata.subscriptionId, resourceGroupName:metadata.resourceGroupName, virtualMachineName:metadata.name);var vaultClientSettings =newVaultClientSettings(vaultAddr, authMethod);IVaultClient vaultClient =newVaultClient(vaultClientSettings); // We can retrieve the secret from the VaultClient objectSecret<SecretData> kv2Secret =null; kv2Secret =vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync(path:"/creds").Result;var password =kv2Secret.Data.Data["password"];returnpassword.ToString(); } /// <summary> /// Query Azure Resource Manage for metadata about the Azure instance /// </summary>privateInstanceMetadataGetMetadata() {HttpWebRequest metadataRequest = (HttpWebRequest)WebRequest.Create(MetadataEndPoint);metadataRequest.Headers["Metadata"] ="true";metadataRequest.Method="GET";HttpWebResponse metadataResponse = (HttpWebResponse)metadataRequest.GetResponse();StreamReader streamResponse =newStreamReader(metadataResponse.GetResponseStream());string stringResponse =streamResponse.ReadToEnd();var resultsDict =JsonConvert.DeserializeObject<Dictionary<string,InstanceMetadata>>(stringResponse);returnresultsDict["compute"]; } /// <summary> /// Query Azure Resource Manager (ARM) for an access token /// </summary>privatestringGetJWT() {HttpWebRequest request = (HttpWebRequest)WebRequest.Create(AccessTokenEndPoint);request.Headers["Metadata"] ="true";request.Method="GET";HttpWebResponse response = (HttpWebResponse)request.GetResponse(); // Pipe response Stream to a StreamReader and extract access tokenStreamReader streamResponse =newStreamReader(response.GetResponseStream());string stringResponse =streamResponse.ReadToEnd();var resultsDict =JsonConvert.DeserializeObject<Dictionary<string,string>>(stringResponse);returnresultsDict["access_token"]; } }}