Azure Permissions for Integrations with Vault

Avatar
Gabe Knell
  • Updated

Introduction

With the integrations between Vault and Azure, Vault will need certain permissions within Azure. Below are different use cases, along with the necessary permissions used in Azure. Also explained, the reasons for the necessary permissions from Microsoft's documentation.

Vault Integrations with Azure

Azure Storage Backend

The Azure storage backend is used to persist Vault's data in an Azure Storage Container. The storage container must already exist and the provided account credentials must have read and write permissions to the storage container.

Auth Method

For the Azure Auth Method, a configured Azure AD application is used as the resource for generating MSI access tokens.

The client_id string is used for credentials to query the Azure APIs. Currently read permissions to query compute resources are required. This value can also be provided with the AZURE_CLIENT_ID environment variable.

Secrets Engine

The Azure secrets engine dynamically generates Azure service principals along with role and group assignments. Vault roles can be mapped to one or more Azure roles, and optionally group assignments, providing a simple, flexible way to manage the permissions granted to generated service principals. The Azure secrets backend must have sufficient permissions to read Azure role information and manage service principals.

Note: Microsoft is shutting down their Azure Active Directory API and will be retiring it in 2022. If you are currently using this secret engine, you will need to update the credentials to include Microsoft Graph API permissions and specify the use_microsoft_graph_api configuration value as true. The use_microsoft_graph_api parameter indicates whether the secrets engine should use the Microsoft Graph API. If set to false, this will use the Azure Active Directory API which has been deprecated by Microsoft and will be removed in 2022.

When set to true, the user specified via the client_id and client_secret will need to have the following permissions under the Microsoft Graph API:
Permission Name
Type
Application.Read.All
Application
Application.ReadWrite.All
Application
Application.ReadWrite.OwnedBy
Application
Directory.Read.All
Application
Directory.ReadWrite.All
Application
Group.Read.All
Application
Group.ReadWrite.All
Application
GroupMember.Read.All
Application
GroupMember.ReadWrite.All
Application

 

Permission Name
Type
Application.Read.All
Delegated
Application.ReadWrite.All
Delegated
Directory.AccessAsUser.All
Delegated
Directory.Read.All
Delegated
Directory.ReadWrite.All
Delegated
Group.Read.All
Delegated
Group.ReadWrite.All
Delegated
GroupMember.Read.All
Delegated
GroupMember.ReadWrite.All
Delegated
Aside from the permissions listed above, setting this to true should be transparent to users.

As part of the retirement of Azure Active Directory, new service principals can no longer be granted Azure Active Directory permissions using the Azure Portal. To add the necessary API permissions for AAD, the Azure CLI is suggested. The following commands will add the correct privileges to an existing service principal:
APP_ID='<App ID Here>'

az ad app permission add \
    --id ${APP_ID?} \
    --api 00000002-0000-0000-c000-000000000000 \
    --api-permissions \
        1cda74f2-2616-4834-b122-5cb1b07f8a59=Role \
        78c8a3c8-a07e-4b9e-af1b-b5ccab50a175=Role \
        970d6fa6-214a-4a9b-8513-08fad511e2fd=Scope \
        311a71cc-e848-46a1-bdf8-97ff7156d8e6=Scope

az ad app permission grant --id ${APP_ID?} --api 00000002-0000-0000-c000-000000000000
Additionally the following IAM roles are required and need to be added to the service principal using the Azure portal: "Owner" role

More information for Migrating from AAD to Microsoft Graph: https://www.vaultproject.io/docs/secrets/azure#migrating-from-aad-to-microsoft-graph

Azure Key Vault

The Key Management secrets engine must be configured with credentials that have sufficient permissions to manage keys in an Azure Key Vault instance. The authentication parameters are described in the [credentials section of the API documentation](https://www.vaultproject.io/api-docs/secret/key-management/azurekeyvault#credentials). The authentication parameters will be set with the following order of precedence:
  1. Environment variables
  2. KMS provider credentials
  3. Managed Service Identity (MSI)
An [Azure Key Vault access policy](https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal) determines whether a given service principal, namely an application or user group, can perform certain operations on a Key Vault instance. The service principal associated with the provided credentials must have an access policy on the Key Vault instance with the following minimum key permissions:
  • create
  • delete
  • get
  • import
  • update

Microsoft Graph Permissions

Application resource permissions (Delegated vs Application permissions): https://docs.microsoft.com/en-us/graph/permissions-reference#application-resource-permissions

Applications:


Groups:

 

Related Vault Documentation:
Related Learn Guides:
Auto-unseal using Azure Key Vault (with Terraform): https://learn.hashicorp.com/tutorials/vault/autounseal-azure-keyvault
Azure Active Directory with OIDC Auth Method and External Groups: https://learn.hashicorp.com/tutorials/vault/oidc-auth-azure

Articles in this section

See more

Related articles