Skip to content

Update Azure Static Secrets docs #1246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+16 −23
Open

Update Azure Static Secrets docs #1246

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 13 additions & 20 deletions content/vault/v1.21.x/content/api-docs/secret/azure.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,9 +46,6 @@ plugin workload identity federation (WIF).
environment variable. If not specified, Vault will use Azure Public Cloud.
- `root_password_ttl` `(string: 182d)` - Specifies how long the root password is valid for in Azure when
rotate-root generates a new client secret. Uses [duration format strings](/vault/docs/concepts/duration-format).
- `metadata` (`map[string]string: {}`) - A map of string to string key/value pairs that will be stored
as metadata for the mount. This can be used to store additional information about the
mount for reference purposes.

@include 'rotationfields.mdx'

Expand Down Expand Up @@ -465,22 +462,20 @@ Create or update static role definitions used to manage pre-existing
as time suffixed strings (`"1h"`) or an integer number of
seconds. Leave `ttl` unset or set to `0` to use the default value
of 2 years (`17520h`).
- `metadata` (`map[string]string: {}`) - A map of string to string key/value pairs that will be stored
as metadata for the mount. This can be used to store additional information about the
mount for reference purposes. The data stored here is displayed in the response of
`/azure/static-roles/:name` and `/azure/static-creds/:name` in the `metadata` field.
When also setting the `metadata` parameter on `/azure/static-creds/:name`, the two
maps will be merged in the response of `/azure/static-creds/:name`, with the values from `/azure/static-roles/:name`
taking precedence in the event of key collisions.
- `metadata` (`map[string]string: {}`) - A map of key/value pairs associated with the static role.
These values can be read from both the `/azure/static-roles/:name` and `/azure/static-creds/:name` endpoints.
When credentials are fetched, role metadata is merged with any metadata provided in the request,
and role metadata always takes precedence if keys overlap.
- `secret_id` (`string: ""`) - The secret ID of the Azure password credential you want to import.
Required if you provide `client_secret` or `expiration`.
- `client_secret` (`string: ""`) - The plaintext secret value of the credential you want to import.
If unset, you must rotate the imported credential before you can use it with Vault.
- `expiration` (`string: ""`) - A future expiration time for the imported
credential, in RFC3339 format.
- `skip_import_rotation` (`bool: false`) – If set to true, Vault stores the
imported credential values without automatically rotating them. You cannot
read the imported credentials until you manually rotate them.
- `skip_import_rotation` (`bool`, `false`) - Determines whether Vault should generate credentials
automatically when the role is created. If set to `true`, Vault will not create the initial credentials
on role creation — you can later generate them by rotating (manually by `rotate-role`) or importing.
If omitted or `false`, Vault automatically provisions the first set of credentials when the role is created.

### Sample payload

Expand Down Expand Up @@ -600,13 +595,11 @@ Generate credentials associated with the named static role.
### Path parameters

- `name` `(string: <required>)` – Name of the static role to get credentials for.
- `metadata` (`map[string]any: {}`) - A map of string to string key/value pairs that will be stored
as metadata for the mount. This can be used to store additional information about the
mount for reference purposes. The data stored here is displayed in the response of
`/azure/static-roles/:name` and `/azure/static-creds/:name` in the `metadata` field.
When also setting the `metadata` parameter on `/azure/static-creds/:name`, the two
maps will be merged in the response of `/azure/static-creds/:name`, with the values from `/azure/static-roles/:name`
taking precedence in the event of key collisions.
- `metadata` (`map: {}`) - Key/value pairs attached to the credential request.
These values are merged with the role’s stored metadata, with role metadata taking
precedence when keys overlap. Format is a key and value separated by an `=` (e.g. `key=value`).
Note: when using the CLI multiple tags can be specified in the role configuration by adding
another `metadata` assignment in the same command.

### Sample request

Expand Down
6 changes: 3 additions & 3 deletions content/vault/v1.21.x/content/docs/secrets/azure.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -490,9 +490,9 @@ lifecycle controls.

You can import credentials in the following ways:

- Metadata import - Provide the `secret_id` and an optional `expiration` for the
credential. Vault records the metadata but blocks reads until you explicitly
rotate the role to generate a valid secret.
- Metadata import - Provide the `secret_id`, `skip_import_rotation=true`,
and an optional `expiration` for the credential. Vault records the metadata
but blocks reads until you explicitly rotate the role to generate a valid secret.
- Full import - Provide the `secret_id`, `client_secret`, and an optional
`expiration`. You can use the imported credential immediately in Vault.
- Rotate on import - Provide the `secret_id` and leave `skip_import_rotation`
Expand Down
Loading