Vault
Azure Auth Method
The azure
auth method allows authentication against Vault using
Azure Active Directory credentials. It treats Azure as a Trusted Third Party
and expects a JSON Web Token (JWT)
signed by Azure Active Directory for the configured tenant.
This method supports authentication for system-assigned and user-assigned managed identities. See Azure Managed Service Identity (MSI) for more information about these resources.
System-assigned identities are unique to every virtual machine in Azure. If the virtual machines using Azure auth are recreated frequently, using system-assigned identities could result in a lot of Vault entities. For environments with high ephemeral workloads, user-assigned identities are recommended.
Prerequisites:
The following documentation assumes that the method has been
mounted at auth/azure
.
- A configured Azure AD application which is used as the resource for generating MSI access tokens.
- Client credentials (shared secret) for accessing the Azure Resource Manager with read access to compute endpoints. See Azure AD Service to Service Client Credentials
Required Azure API permissions to be granted to Vault user:
NOTE: The above permissions are only required when the associated vm* parameters are used on login. Please see the API doc for more details.
If Vault is hosted on Azure, Vault can use MSI to access Azure instead of a shared secret. MSI must be enabled on the VMs hosting Vault.
The next sections review how the authN/Z workflows work. If you have already reviewed these sections, here are some quick links to:
- Usage
- API documentation docs.
Authentication
Via the CLI
The default path is /auth/azure
. If this auth method was enabled at a different
path, specify auth/my-path/login
instead.
$ vault write auth/azure/login \
role="dev-role" \
jwt="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
subscription_id="12345-..." \
resource_group_name="test-group" \
vm_name="test-vm"
The role
and jwt
parameters are required. When using bound_service_principal_ids
and bound_group_ids
in the token roles, all the information is required in the JWT (except for vm_name and vmss_name). When using other bound_*
parameters, calls to Azure APIs will be made and subscription id, resource group name, and vm name/vmss_name are all required and can be obtained through instance metadata.
For example:
$ vault write auth/azure/login role="dev-role" \
jwt="$(curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true | jq -r '.access_token')" \
subscription_id=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .subscriptionId') \
resource_group_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .resourceGroupName') \
vm_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .name')
Via the API
The default endpoint is auth/azure/login
. If this auth method was enabled
at a different path, use that value instead of azure
.
$ curl \
--request POST \
--data '{"role": "dev-role", "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}' \
https://127.0.0.1:8200/v1/auth/azure/login
The response will contain the token at auth.client_token
:
{
"auth": {
"client_token": "f33f8c72-924e-11f8-cb43-ac59d697597c",
"accessor": "0e9e354a-520f-df04-6867-ee81cae3d42d",
"policies": ["default", "dev", "prod"],
"lease_duration": 2764800,
"renewable": true
}
}
Configuration
Auth methods must be configured in advance before machines can authenticate. These steps are usually completed by an operator or configuration management tool.
Via the CLI
Enable Azure authentication in Vault:
$ vault auth enable azure
Configure the Azure auth method:
$ vault write auth/azure/config \ tenant_id=7cd1f227-ca67-4fc6-a1a4-9888ea7f388c \ resource=https://management.azure.com/ \ client_id=dd794de4-4c6c-40b3-a930-d84cd32e9699 \ client_secret=IT3B2XfZvWnfB98s1cie8EMe7zWg483Xy8zY004=
For the complete list of configuration options, please see the API documentation.
Create a role:
$ vault write auth/azure/role/dev-role \ policies="prod,dev" \ bound_subscription_ids=6a1d5988-5917-4221-b224-904cd7e24a25 \ bound_resource_groups=vault
Roles are associated with an authentication type/entity and a set of Vault policies. Roles are configured with constraints specific to the authentication type, as well as overall constraints and configuration for the generated auth tokens.
For the complete list of role options, please see the API documentation.
Via the API
Enable Azure authentication in Vault:
$ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data '{"type": "azure"}' \ https://127.0.0.1:8200/v1/sys/auth/azure
Configure the Azure auth method:
$ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data '{"tenant_id": "...", "resource": "..."}' \ https://127.0.0.1:8200/v1/auth/azure/config
Create a role:
$ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data '{"policies": ["dev", "prod"], ...}' \ https://127.0.0.1:8200/v1/auth/azure/role/dev-role
Plugin Setup
The following section is only relevant if you decide to enable the azure auth method as an external plugin. The azure plugin method is integrated into Vault as a builtin method by default.
Assuming you have saved the binary vault-plugin-auth-azure
to some folder and
configured the plugin directory
for your server at path/to/plugins
:
Enable the plugin in the catalog:
$ vault write sys/plugins/catalog/auth/azure-auth \ command="vault-plugin-auth-azure" \ sha256="..."
Enable the azure auth method as a plugin:
$ vault auth enable -path=azure azure-auth
Azure Debug Logs
The Azure auth plugin supports debug logging which includes additional information about requests and responses from the Azure API.
To enable the Azure debug logs, set the following environment variable on the Vault server:
AZURE_GO_SDK_LOG_LEVEL=DEBUG
API
The Azure Auth Plugin has a full HTTP API. Please see the API documentation for more details.
Code Example
The following example demonstrates the Azure auth method to authenticate with Vault.
package main
import (
"context"
"fmt"
vault "github.com/hashicorp/vault/api"
auth "github.com/hashicorp/vault/api/auth/azure"
)
// Fetches a key-value secret (kv-v2) after authenticating to Vault via Azure authentication.
// This example assumes you have a configured Azure AD Application.
func getSecretWithAzureAuth() (string, error) {
config := vault.DefaultConfig() // modify for more granular configuration
client, err := vault.NewClient(config)
if err != nil {
return "", fmt.Errorf("unable to initialize Vault client: %w", err)
}
azureAuth, err := auth.NewAzureAuth(
"dev-role-azure",
)
if err != nil {
return "", fmt.Errorf("unable to initialize Azure auth method: %w", err)
}
authInfo, err := client.Auth().Login(context.TODO(), azureAuth)
if err != nil {
return "", fmt.Errorf("unable to login to Azure auth method: %w", err)
}
if authInfo == nil {
return "", fmt.Errorf("no auth info was returned after login")
}
// get secret
secret, err := client.Logical().Read("kv-v2/data/creds")
if err != nil {
return "", fmt.Errorf("unable to read secret: %w", err)
}
data, ok := secret.Data["data"].(map[string]interface{})
if !ok {
return "", fmt.Errorf("data type assertion failed: %T %#v", secret.Data["data"], secret.Data["data"])
}
// data map can contain more than one key-value pair,
// in this case we're just grabbing one of them
key := "password"
value, ok := data[key].(string)
if !ok {
return "", fmt.Errorf("value type assertion failed: %T %#v", data[key], data[key])
}
return value, nil
}