diff --git a/content/vault/v1.21.x/content/api-docs/secret/azure.mdx b/content/vault/v1.21.x/content/api-docs/secret/azure.mdx index fa583a169..25b88bcb6 100644 --- a/content/vault/v1.21.x/content/api-docs/secret/azure.mdx +++ b/content/vault/v1.21.x/content/api-docs/secret/azure.mdx @@ -46,9 +46,6 @@ plugin workload identity federation (WIF). environment variable. If not specified, Vault will use Azure Public Cloud. - `root_password_ttl` `(string: 182d)` - Specifies how long the root password is valid for in Azure when rotate-root generates a new client secret. Uses [duration format strings](/vault/docs/concepts/duration-format). -- `metadata` (`map[string]string: {}`) - A map of string to string key/value pairs that will be stored - as metadata for the mount. This can be used to store additional information about the - mount for reference purposes. @include 'rotationfields.mdx' @@ -465,22 +462,20 @@ Create or update static role definitions used to manage pre-existing as time suffixed strings (`"1h"`) or an integer number of seconds. Leave `ttl` unset or set to `0` to use the default value of 2 years (`17520h`). -- `metadata` (`map[string]string: {}`) - A map of string to string key/value pairs that will be stored - as metadata for the mount. This can be used to store additional information about the - mount for reference purposes. The data stored here is displayed in the response of - `/azure/static-roles/:name` and `/azure/static-creds/:name` in the `metadata` field. - When also setting the `metadata` parameter on `/azure/static-creds/:name`, the two - maps will be merged in the response of `/azure/static-creds/:name`, with the values from `/azure/static-roles/:name` - taking precedence in the event of key collisions. +- `metadata` (`map[string]string: {}`) - A map of key/value pairs associated with the static role. + These values can be read from both the `/azure/static-roles/:name` and `/azure/static-creds/:name` endpoints. + When credentials are fetched, role metadata is merged with any metadata provided in the request, + and role metadata always takes precedence if keys overlap. - `secret_id` (`string: ""`) - The secret ID of the Azure password credential you want to import. Required if you provide `client_secret` or `expiration`. - `client_secret` (`string: ""`) - The plaintext secret value of the credential you want to import. If unset, you must rotate the imported credential before you can use it with Vault. - `expiration` (`string: ""`) - A future expiration time for the imported credential, in RFC3339 format. -- `skip_import_rotation` (`bool: false`) – If set to true, Vault stores the - imported credential values without automatically rotating them. You cannot - read the imported credentials until you manually rotate them. +- `skip_import_rotation` (`bool`, `false`) - Determines whether Vault should generate credentials + automatically when the role is created. If set to `true`, Vault will not create the initial credentials + on role creation — you can later generate them by rotating (manually by `rotate-role`) or importing. + If omitted or `false`, Vault automatically provisions the first set of credentials when the role is created. ### Sample payload @@ -600,13 +595,11 @@ Generate credentials associated with the named static role. ### Path parameters - `name` `(string: )` – Name of the static role to get credentials for. -- `metadata` (`map[string]any: {}`) - A map of string to string key/value pairs that will be stored - as metadata for the mount. This can be used to store additional information about the - mount for reference purposes. The data stored here is displayed in the response of - `/azure/static-roles/:name` and `/azure/static-creds/:name` in the `metadata` field. - When also setting the `metadata` parameter on `/azure/static-creds/:name`, the two - maps will be merged in the response of `/azure/static-creds/:name`, with the values from `/azure/static-roles/:name` - taking precedence in the event of key collisions. +- `metadata` (`map: {}`) - Key/value pairs attached to the credential request. + These values are merged with the role’s stored metadata, with role metadata taking + precedence when keys overlap. Format is a key and value separated by an `=` (e.g. `key=value`). + Note: when using the CLI multiple tags can be specified in the role configuration by adding + another `metadata` assignment in the same command. ### Sample request diff --git a/content/vault/v1.21.x/content/docs/secrets/azure.mdx b/content/vault/v1.21.x/content/docs/secrets/azure.mdx index 2c2f300ae..85c4e1af1 100644 --- a/content/vault/v1.21.x/content/docs/secrets/azure.mdx +++ b/content/vault/v1.21.x/content/docs/secrets/azure.mdx @@ -490,9 +490,9 @@ lifecycle controls. You can import credentials in the following ways: -- Metadata import - Provide the `secret_id` and an optional `expiration` for the - credential. Vault records the metadata but blocks reads until you explicitly - rotate the role to generate a valid secret. +- Metadata import - Provide the `secret_id`, `skip_import_rotation=true`, + and an optional `expiration` for the credential. Vault records the metadata + but blocks reads until you explicitly rotate the role to generate a valid secret. - Full import - Provide the `secret_id`, `client_secret`, and an optional `expiration`. You can use the imported credential immediately in Vault. - Rotate on import - Provide the `secret_id` and leave `skip_import_rotation`