Skip to content

Commit

Permalink
backport of commit 7bcae00 (#13587)
Browse files Browse the repository at this point in the history
This pull request was automerged via backport-assistant
  • Loading branch information
hc-github-team-secure-vault-core authored Jan 6, 2022
1 parent b33678c commit e54dd86
Showing 1 changed file with 31 additions and 6 deletions.
37 changes: 31 additions & 6 deletions website/content/api-docs/secret/azure.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,34 @@ service principals. Environment variables will override any parameters set in th
Active Directory API which has been [deprecated by Microsoft and will be removed in 2022](https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-faq).

If set to true, the user specified via the `client_id` and `client_secret` will need to have the following permissions
under the Microsoft Graph API: `Application.ReadWrite.All`, `Directory.ReadWrite.All`, and `Group.ReadWrite.All`.
under the **Microsoft Graph API**:

| Permission Name | Type |
| ----------------------------- | ----------- |
| Application.Read.All | Application |
| Application.ReadWrite.All | Application |
| Application.ReadWrite.OwnedBy | Application |
| Directory.Read.All | Application |
| Directory.ReadWrite.All | Application |
| Group.Read.All | Application |
| Group.ReadWrite.All | Application |
| GroupMember.Read.All | Application |
| GroupMember.ReadWrite.All | Application |

| Permission Name | Type |
| -------------------------- | --------- |
| Application.Read.All | Delegated |
| Application.ReadWrite.All | Delegated |
| Directory.AccessAsUser.All | Delegated |
| Directory.Read.All | Delegated |
| Directory.ReadWrite.All | Delegated |
| Group.Read.All | Delegated |
| Group.ReadWrite.All | Delegated |
| GroupMember.Read.All | Delegated |
| GroupMember.ReadWrite.All | Delegated |

Aside from the permissions listed above, setting this to true should be transparent to users.

Aside from the permissions listed above, setting this to true should be transparent to users.
- `root_password_ttl` `(string: 182d)` - Specifies how long the root password is valid for in Azure when
rotate-root generates a new client secret. This can be either a number of seconds or a time formatted
duration (ex: 24h, 48d).
Expand Down Expand Up @@ -172,11 +197,11 @@ This endpoint generates a new client secret for the root account defined in the
value generated will only be known by Vault.

~> Due to the eventual consistency of Microsoft Azure client secret APIs, the plugin
may briefly stop authenticating to Azure as the password propagates through their
datacenters.
may briefly stop authenticating to Azure as the password propagates through their
datacenters.

| Method | Path |
| :----- | :------------------------ |
| Method | Path |
| :----- | :------------------- |
| `POST` | `/azure/rotate-root` |

### Parameters
Expand Down

0 comments on commit e54dd86

Please sign in to comment.