Vault - Azure Secrets Engine

# brief

I have recently migrated my Terraform AWS configurations onto using Vault and the AWS secrets engine to create dynamic IAM accounts. I think this is brilliant and great way to operate the public cloud, Infrastructure as Code and accessed with dynamic time limited credentials.

I am now embarking on setting up similar resources in Azure and it makes sense to me to start by access Azure using the Vault Azure secrets engine from the get go.

Here is how it went:

# method

I started by following the Hashicorp learning guide here:

https://learn.hashicorp.com/tutorials/vault/azure-secrets?in=vault/secrets-management

This was great, I naturally skipped over some of the Vault sections as I already had a Vault setup to use, then I came to add a role:

vault write azure/roles/edu-app ttl=1h azure_roles=-<<EOF
    [
      {
        "role_name": "Contributor",
        "scope": "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/vault-education"
      }
    ]
EOF

and received the following response:

Error writing data to azure/roles/terraform: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/azure/roles/terraform
Code: 500. Errors:

* 1 error occurred:
        * tenant_id is required

The correct command should have been:

vault write azure/roles/terraform ttl=30m tenant_id=my-tenant-id-from-azure-tenant-properties azure_roles=-<<EOF
    [
      {
        "role_name": "Contributor",
        "scope": "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/vault-access-rg"
      }
    ]
EOF

I then get a success message:

Success! Data written to: azure/roles/terraform

This `tenant_id` is optional apparently, without it though, it doesnt work.

# conclusion

We can now use the Azure secrets engine to generate client_id and client_secret to access Azure.