Skip to content

Commit

Permalink
backport of commit 6afdd5a (#13657)
Browse files Browse the repository at this point in the history
Co-authored-by: Austin Gebauer <[email protected]>
  • Loading branch information
1 parent a52a497 commit 28791fe
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 6 deletions.
18 changes: 14 additions & 4 deletions website/content/api-docs/auth/azure.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -29,17 +29,25 @@ virtual machine.
### Parameters

- `tenant_id` `(string: <required>)` - The tenant id for the Azure Active Directory organization.
- `resource` `(string: <required>)` - The configured URL for the application registered in Azure Active Directory.
This value can also be provided with the `AZURE_TENANT_ID` environment variable.
- `resource` `(string: <required>)` - The resource URL for the application registered in Azure Active Directory.
The value is expected to match the audience (`aud` claim) of the [JWT](/api-docs/auth/azure#jwt)
provided to the login API. See the [resource](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http)
parameter for how the audience is set when requesting a JWT access token from the Azure Instance Metadata Service (IMDS) endpoint.
This value can also be provided with the `AZURE_AD_RESOURCE` environment variable.
- `environment` `(string: 'AzurePublicCloud')` - The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.
This value can also be provided with the `AZURE_ENVIRONMENT` environment variable.
- `client_id` `(string: '')` - The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.
This value can also be provided with the `AZURE_CLIENT_ID` environment variable.
- `client_secret` `(string: '')` - The client secret for credentials to query the Azure APIs.
This value can also be provided with the `AZURE_CLIENT_SECRET` environment variable.

### Sample Payload

```json
{
"tenant_id": "kd83...",
"resource": "https://vault.hashicorp.com/",
"resource": "https://management.azure.com/",
"client_id": "12ud...",
"client_secret": "DUJDS3..."
}
Expand Down Expand Up @@ -77,7 +85,7 @@ $ curl \
{
"data":{
"tenant_id": "kd83...",
"resource": "https://vault.hashicorp.com/",
"resource": "https://management.azure.com/",
"client_id": "12ud...",
"client_secret": "DUJDS3..."
},
Expand Down Expand Up @@ -261,7 +269,9 @@ entity and then authorizes the entity for the given role.

- `role` `(string: <required>)` - Name of the role against which the login is being
attempted.
- `jwt` `(string: <required>)` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI.
- `jwt` `(string: <required>)` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT)
from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token)
for details on how to acquire a JWT access token through instance metadata.
- `subscription_id` `(string: <required>)` - The subscription ID for the machine that
generated the MSI token. This information can be obtained through instance
metadata.
Expand Down
4 changes: 2 additions & 2 deletions website/content/docs/auth/azure.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ For example:

```shell-session
$ vault write auth/azure/login role="dev-role" \
jwt="$(curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.hashicorp.com%2F' -H Metadata:true | jq -r '.access_token')" \
jwt="$(curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true | jq -r '.access_token')" \
subscription_id=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .subscriptionId') \
resource_group_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .resourceGroupName') \
vm_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .name')
Expand Down Expand Up @@ -112,7 +112,7 @@ tool.
```text
$ vault write auth/azure/config \
tenant_id=7cd1f227-ca67-4fc6-a1a4-9888ea7f388c \
resource=https://vault.hashicorp.com \
resource=https://management.azure.com/ \
client_id=dd794de4-4c6c-40b3-a930-d84cd32e9699 \
client_secret=IT3B2XfZvWnfB98s1cie8EMe7zWg483Xy8zY004=
```
Expand Down

0 comments on commit 28791fe

Please sign in to comment.