Vault
Azure auth method
The azure
auth method allows authentication against Vault using
Azure Active Directory credentials. It treats Azure as a Trusted Third Party
and expects a JSON Web Token (JWT)
signed by Azure Active Directory for the configured tenant.
This method supports authentication for system-assigned and user-assigned managed identities. See Managed identities for Azure resources for more information about these resources.
This documentation assumes the Azure method is mounted at the /auth/azure
path in Vault. Since it is possible to enable auth methods at any location,
please update your API calls accordingly.
Prerequisites:
The Azure auth method requires client credentials to access Azure APIs. The following are required to configure the auth method:
- A configured Azure AD application which is used as the resource for generating MSI access tokens.
- Client credentials (shared secret) with read access to particular Azure Resource Manager resources. See Azure AD Service to Service Client Credentials.
If Vault is hosted on Azure, Vault can use MSI to access Azure instead of a shared secret. A managed identity must be enabled on the resource that acquires the access token.
The following Azure role assignments must be granted to the Azure AD application in order for the auth method to access Azure APIs during authentication.
Role assignments
Note: The role assignments are only required when the
vm_name
, vmss_name
,
or resource_id
parameters are used on login.
Azure Environment | Login Parameter | Azure API Permission |
---|---|---|
Virtual Machine | vm_name | Microsoft.Compute/virtualMachines/*/read |
Virtual Machine Scale Set (Uniform Orchestration) | vmss_name | Microsoft.Compute/virtualMachineScaleSets/*/read |
Virtual Machine Scale Set (Flexible Orchestration) | vmss_name | Microsoft.Compute/virtualMachineScaleSets/*/read Microsoft.ManagedIdentity/userAssignedIdentities/*/read |
Services that (support managed identities) for Azure resources | resource_id | read on the resource used to obtain the JWT |
API permissions
The following API permissions must be assigned to the service principal provided to Vault for managing the root rotation in Azure:
Permission Name | Type |
---|---|
Application.ReadWrite.All | Application |
Authentication
Via the CLI
The default path is /auth/azure
. If this auth method was enabled at a different
path, specify auth/my-path/login
instead.
$ vault write auth/azure/login \
role="dev-role" \
jwt="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
subscription_id="12345-..." \
resource_group_name="test-group" \
vm_name="test-vm"
The role
and jwt
parameters are required. When using
bound_service_principal_ids
and bound_group_ids
in the token roles, all the
information is required in the JWT (except for vm_name
, vmss_name
, resource_id
). When
using other bound_*
parameters, calls to Azure APIs will be made and
subscription_id
, resource_group_name
, and vm_name
/vmss_name
are all required
and can be obtained through instance metadata.
For example:
$ vault write auth/azure/login role="dev-role" \
jwt="$(curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true | jq -r '.access_token')" \
subscription_id=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .subscriptionId') \
resource_group_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .resourceGroupName') \
vm_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .name')
Via the API
The default endpoint is auth/azure/login
. If this auth method was enabled
at a different path, use that value instead of azure
.
$ curl \
--request POST \
--data '{"role": "dev-role", "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}' \
https://127.0.0.1:8200/v1/auth/azure/login
The response will contain the token at auth.client_token
:
{
"auth": {
"client_token": "f33f8c72-924e-11f8-cb43-ac59d697597c",
"accessor": "0e9e354a-520f-df04-6867-ee81cae3d42d",
"policies": ["default", "dev", "prod"],
"lease_duration": 2764800,
"renewable": true
}
}
Configuration
Auth methods must be configured in advance before machines can authenticate. These steps are usually completed by an operator or configuration management tool.
Via the CLI
Enable Azure authentication in Vault:
$ vault auth enable azure
Configure the Azure auth method:
$ vault write auth/azure/config \ tenant_id=7cd1f227-ca67-4fc6-a1a4-9888ea7f388c \ resource=https://management.azure.com/ \ client_id=dd794de4-4c6c-40b3-a930-d84cd32e9699 \ client_secret=IT3B2XfZvWnfB98s1cie8EMe7zWg483Xy8zY004=
For the complete list of configuration options, please see the API documentation.
In some cases, you cannot set sensitive account credentials in your Vault configuration. For example, your organization may require that all security credentials are short-lived or explicitly tied to a machine identity.
To provide managed identity security credentials to Vault, we recommend using Vault plugin workload identity federation (WIF) as shown below.
Alternatively, configure the audience claim value and the Client, Tenant IDs for plugin workload identity federation:
$ vault write azure/config \ tenant_id=7cd1f227-ca67-4fc6-a1a4-9888ea7f388c \ client_id=dd794de4-4c6c-40b3-a930-d84cd32e9699 \ identity_token_audience=vault.example/v1/identity/oidc/plugins
The Vault identity token provider signs the plugin identity token JWT internally. If a trust relationship exists between Vault and Azure through WIF, the auth method can exchange the Vault identity token for a federated access token.
To configure a trusted relationship between Vault and Azure:
- You must configure the [identity token issuer backend](/vault/api-docs/secret/identity/tokens#configure-the-identity-tokens-backend) for Vault. - Azure must have a [federated identity credential](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azp#configure-a-federated-identity-credential-on-an-app) configured with information about the fully qualified and network-reachable issuer URL for the Vault plugin [identity token provider](/vault/api-docs/secret/identity/tokens#read-plugin-identity-well-known-configurations).
Establishing a trusted relationship between Vault and Azure ensures that Azure can fetch JWKS public keys and verify the plugin identity token signature.
Create a role:
$ vault write auth/azure/role/dev-role \ policies="prod,dev" \ bound_subscription_ids=6a1d5988-5917-4221-b224-904cd7e24a25 \ bound_resource_groups=vault
Roles are associated with an authentication type/entity and a set of Vault policies. Roles are configured with constraints specific to the authentication type, as well as overall constraints and configuration for the generated auth tokens.
For the complete list of role options, please see the API documentation.
Via the API
Enable Azure authentication in Vault:
$ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data '{"type": "azure"}' \ https://127.0.0.1:8200/v1/sys/auth/azure
Configure the Azure auth method:
$ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data '{"tenant_id": "...", "resource": "..."}' \ https://127.0.0.1:8200/v1/auth/azure/config
Create a role:
$ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data '{"policies": ["dev", "prod"], ...}' \ https://127.0.0.1:8200/v1/auth/azure/role/dev-role
Azure managed identities
There are two types of managed identities in Azure: System-assigned and User-assigned. System-assigned identities are unique to every virtual machine in Azure. If the resources using Azure auth are recreated frequently, using system-assigned identities could result in many Vault entities being created. For environments with high ephemeral workloads, user-assigned identities are recommended.
Limitations
The TTL of the access token returned by Azure AD for a managed identity is 24hrs and is not configurable. See (limitations of using managed identities) for more info.
Azure debug logs
The Azure auth plugin supports debug logging which includes additional information about requests and responses from the Azure API.
To enable the Azure debug logs, set the following environment variable on the Vault server:
AZURE_SDK_GO_LOGGING=all
Plugin Workload Identity Federation (WIF)
Enterprise
This feature requires Vault Enterprise(opens in new tab).
The Azure auth method supports the plugin WIF workflow, and has a source of identity called a plugin identity token. A plugin identity token is a JWT that is signed internally by Vault's plugin identity token issuer.
If there is a trust relationship configured between Vault and Azure through workload identity federation, the auth method can exchange its identity token for short-lived access tokens needed to perform its actions.
Exchanging identity tokens for access tokens lets the Azure auth method operate without configuring explicit access to sensitive client credentials.
To configure the auth method to use plugin WIF:
Ensure that Vault openid-configuration and public JWKS APIs are network-reachable by Azure. We recommend using an API proxy or gateway if you need to limit Vault API exposure.
Configure a federated identity credential on a dedicated application registration in Azure to establish a trust relationship with Vault.
- The issuer URL must point at your Vault plugin identity token issuer with the
/.well-known/openid-configuration
suffix removed. For example:https://host:port/v1/identity/oidc/plugins
. - The subject identifier must match the unique
sub
claim issued by plugin identity tokens. The subject identifier should have the formplugin-identity:<NAMESPACE>:auth:<AZURE_MOUNT_ACCESSOR>
. - The audience should be under 600 characters. The default value in Azure is
api://AzureADTokenExchange
.
- The issuer URL must point at your Vault plugin identity token issuer with the
Configure the Azure auth method with the client and tenant IDs and the OIDC audience value.
$ vault write azure/config \ tenant_id=7cd1f227-ca67-4fc6-a1a4-9888ea7f388c \ client_id=dd794de4-4c6c-40b3-a930-d84cd32e9699 \ identity_token_audience=vault.example/v1/identity/oidc/plugins
Your auth method can now use plugin WIF for its configuration credentials. By default, WIF credentials have a time-to-live of 1 hour and automatically refresh when they expire.
Please see the API documentation for more details on the fields associated with plugin WIF.
API
The Azure Auth Plugin has a full HTTP API. Please see the API documentation for more details.
Code example
The following example demonstrates the Azure auth method to authenticate with Vault.
package main
import (
"context"
"fmt"
vault "github.com/hashicorp/vault/api"
auth "github.com/hashicorp/vault/api/auth/azure"
)
// Fetches a key-value secret (kv-v2) after authenticating to Vault via Azure authentication.
// This example assumes you have a configured Azure AD Application.
func getSecretWithAzureAuth() (string, error) {
config := vault.DefaultConfig() // modify for more granular configuration
client, err := vault.NewClient(config)
if err != nil {
return "", fmt.Errorf("unable to initialize Vault client: %w", err)
}
azureAuth, err := auth.NewAzureAuth(
"dev-role-azure",
)
if err != nil {
return "", fmt.Errorf("unable to initialize Azure auth method: %w", err)
}
authInfo, err := client.Auth().Login(context.Background(), azureAuth)
if err != nil {
return "", fmt.Errorf("unable to login to Azure auth method: %w", err)
}
if authInfo == nil {
return "", fmt.Errorf("no auth info was returned after login")
}
// get secret from the default mount path for KV v2 in dev mode, "secret"
secret, err := client.KVv2("secret").Get(context.Background(), "creds")
if err != nil {
return "", fmt.Errorf("unable to read secret: %w", err)
}
// data map can contain more than one key-value pair,
// in this case we're just grabbing one of them
value, ok := secret.Data["password"].(string)
if !ok {
return "", fmt.Errorf("value type assertion failed: %T %#v", secret.Data["password"], secret.Data["password"])
}
return value, nil
}