upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-05-28 04:10:44 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

secrets/keymgmt: Adds documentation for using Azure Private Link (#13640)

Browse source
This commit is contained in:
Austin Gebauer 2022-01-13 10:41:05 -08:00 committed by GitHub
parent b5d7b33d00
commit cc1992a167
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 33 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
website/content/docs/secrets/key-management/awskms.mdx
View file

@ -64,7 +64,7 @@ specification.
## Key Rotation
Customer master keys (CMKs) with imported key material are not eligible for
AWS KMS keys with imported key material are not eligible for
[automatic key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
within AWS KMS. As such, key rotations performed by the secrets engine use the
[manual key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually)

32
website/content/docs/secrets/key-management/azurekeyvault.mdx
View file

@ -73,3 +73,35 @@ for each key type supported by GCP Cloud KMS.
| `rsa-2048` | [All purposes](/api-docs/secret/key-management#purpose) |
| `rsa-3072` | [All purposes](/api-docs/secret/key-management#purpose) |
| `rsa-4096` | [All purposes](/api-docs/secret/key-management#purpose) |
## Azure Private Link
The secrets engine can be configured to communicate with Azure Key Vault instances
using [Azure Private Endpoints](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview).
Follow the guide at [Integrate Key Vault with Azure Private Link](https://docs.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal)
to set up a Private Endpoint for your target Key Vault instance in Azure. The Private Endpoint must
be network reachable by Vault. This means Vault needs to be running in the same virtual network or
a peered virtual network to properly resolve the Key Vault domain name to the Private Endpoint IP
address.
The Private Endpoint configuration relies on a correct [Azure Private DNS](https://docs.microsoft.com/en-us/azure/dns/private-dns-overview)
integration. From the host that Vault is running on, follow the steps in
[Validate that the private link connection works](https://docs.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal#validate-that-the-private-link-connection-works)
to ensure that the Key Vault domain name resolves to the Private Endpoint IP address you've configured.
```
$ nslookup <keyvault-name>.vault.azure.net
Non-authoritative answer:
Name:
Address: 10.0.2.5 (private IP address)
Aliases: <keyvault-name>.vault.azure.net
<keyvault-name>.privatelink.vaultcore.azure.net
```
The secrets engine doesn't require special configuration to communicate with a Key Vault instance
over an Azure Private Endpoint. For example, the given [KMS configuration](/docs/secrets/key-management/azurekeyvault#configuration)
will result in the secrets engine resolving a Key Vault domain name of `keyvault-name.vault.azure.net`
to the Private Endpoint IP address. Note that it's possible to change the Key Vault DNS suffix using the
[environment](/api-docs/secret/key-management/azurekeyvault#environment)
configuration parameter or `AZURE_ENVIRONMENT` environment variable.