upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-05-28 04:10:44 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

add docs for Azure auth resource_group_name, vm_name, vmss_name security improvement (#29969)

Browse source
This commit is contained in:
Thy Ton 2025-03-26 10:50:42 -07:00 committed by GitHub
parent 75e6c11f8e
commit 0d8e67abac
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 25 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
website/content/docs/auth/azure.mdx
View file

@ -21,7 +21,31 @@ This documentation assumes the Azure method is mounted at the `/auth/azure`
path in Vault. Since it is possible to enable auth methods at any location,
please update your API calls accordingly.
## Prerequisites:
## Token validation ((#token-validation))
Vault validates the resource group (`resource_group_name`), VM name (`vm_name`)
and VM scale set name (`vmss_name`) parameters against token claims. Depending
on the identities attached to the machine generating the MSI token, the
associated claims must include at least one of the following claims
to pass validation: "xms_mirid" or "xms_az_rid".
System-assigned management identity | "xms_mirid" | "xms_az_rid"
----------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------| ---------------
Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist
Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}`
See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and
[Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens.
When Vault evaluates the token claims, it checks the validation parameter values
against the claim parameters:
- `{resource-group-name}` must match `resource_group_name`.
- `{virtual-machine-name}` must match `vm_name` or `{vmss_name}_{instance-id}` if `vmss_name` is provided.
If either check fails, the login also fails.
## Prerequisites
The Azure auth method requires client credentials to access Azure APIs. The following
are required to configure the auth method: