Azure Key Vault Secrets Backend for Acct¶
Azure Key Vault Backend for Acct
| depends: |
|
|---|---|
| configuration: | Get secrets from Azure Key Vault. Example: acct-backend:
azurerm_keyvault:
designator: "acct-provider-"
vault_url: "https://myvault.vault.azure.net"
client_id: "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
secret: "X2KRwdcdsQn9mwjdt0EbxsQR3w5TuBOR"
subscription_id: "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
tenant: "cccccccc-cccc-cccc-cccc-cccccccccccc"
To use this backend, configure the backend YAML as shown above for the credentials which can be used to access the Key Vault URL provided. A username and password or Managed Service Identities can be used in lieu of the service principal credentials shown in the example. Any identity used will need secrets/list and secrets/get permissions to the vault in order to retrieve the credentials. Credentials stored in the Key Vault will need to be named in a prescribed way in order to be properly retrieved and used for acct: {designator}{provider}-{profile}-{parameter}
So, an example of secret names stored in Key Vault to be used for
acct-provider-azurerm-default-client-id
acct-provider-azurerm-default-secret
acct-provider-azurerm-default-subscription-id
acct-provider-azurerm-default-tenant
This backend will only retrieve the latest version of a given secret, and the secret’s value will only be retrieved from the vault if the naming matches the expected format. Note that any dashes after the profile field will be converted to underscores. This is due to limitations in secret naming and the fact that Python parameters shouldn’t have dashes. |
-
idem_azurerm.acct.azurerm_keyvault.unlock(hub, vault_url: str, designator: str = 'acct-provider-', **kwargs) → Dict[str, Dict[str, Dict[str, str]]]¶ Get secrets from the Azure Key Vault.