Vaultx.Auth.Azure (Vaultx v0.7.0)

View Source

Azure authentication method for HashiCorp Vault.

This module implements comprehensive Azure authentication for Vault, supporting Azure Managed Service Identity (MSI) and Service Principal authentication. It provides secure, scalable authentication for Azure workloads with full support for Azure Virtual Machines, Virtual Machine Scale Sets, and other Azure resources.

Azure Authentication Types

Managed Service Identity (MSI)

  • Virtual Machine Authentication: Uses Azure VM instance metadata
  • Virtual Machine Scale Set: Supports VMSS-based authentication
  • Resource Identity: Authenticates using Azure resource identity
  • JWT Token Validation: Validates Azure-issued JWT tokens

Service Principal Authentication

  • Client Credentials: Uses client ID and secret
  • Certificate Authentication: X.509 certificate-based auth
  • Federated Identity: Azure AD federated identity support

Advanced Features

  • Multi-Tenant: Works across Azure tenants
  • Auto-Discovery: Automatic Azure metadata detection
  • Security: Built-in token validation and replay prevention
  • Flexibility: Configurable authentication parameters
  • Enterprise: Azure Government and sovereign cloud support

API Compliance

Fully implements HashiCorp Vault Azure authentication:

Authentication Examples

Virtual Machine Authentication

Azure VMs can authenticate using their managed identity:

{:ok, auth_response} = Vaultx.Auth.Azure.authenticate(%{
  role: "my-vm-role",
  jwt: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  subscription_id: "12345678-1234-1234-1234-123456789012",
  resource_group_name: "my-resource-group",
  vm_name: "my-vm"
})

Virtual Machine Scale Set Authentication

{:ok, auth_response} = Vaultx.Auth.Azure.authenticate(%{
  role: "my-vmss-role",
  jwt: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  subscription_id: "12345678-1234-1234-1234-123456789012",
  resource_group_name: "my-resource-group",
  vmss_name: "my-vmss"
})

Resource ID Authentication

{:ok, auth_response} = Vaultx.Auth.Azure.authenticate(%{
  role: "my-resource-role",
  jwt: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  subscription_id: "12345678-1234-1234-1234-123456789012",
  resource_group_name: "my-resource-group",
  resource_id: "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/my-vm"
})

Vault Configuration

Before using this authentication method, configure it in Vault:

# Enable Azure auth method
vault auth enable azure

# Configure Azure credentials
vault write auth/azure/config \
  tenant_id="12345678-1234-1234-1234-123456789012" \
  resource="https://management.azure.com/" \
  client_id="87654321-4321-4321-4321-210987654321" \
  client_secret="your-client-secret"

# Create VM role
vault write auth/azure/role/my-vm-role \
  bound_service_principal_ids="12345678-1234-1234-1234-123456789012" \
  bound_resource_groups="my-resource-group" \
  token_policies="my-policy" \
  token_ttl="1h" \
  token_max_ttl="24h"

# Create VMSS role
vault write auth/azure/role/my-vmss-role \
  bound_scale_sets="my-vmss" \
  bound_resource_groups="my-resource-group" \
  token_policies="my-policy"

Security Considerations

  • JWT tokens are validated against Azure's public keys
  • Resource metadata is verified against Azure APIs
  • Role bindings enforce resource-level access control
  • Supports Azure Government and sovereign clouds
  • Built-in protection against token replay attacks

Summary

Functions

authenticate(credentials, opts \\ [])

Authenticate with Azure using managed identity or service principal.

metadata()

Return metadata about the Azure authentication method.

validate_credentials(credentials)

Validate Azure authentication credentials.

Functions

authenticate(credentials, opts \\ [])

Authenticate with Azure using managed identity or service principal.

This function performs Azure authentication by submitting a JWT token obtained from Azure Instance Metadata Service (IMDS) along with resource metadata to verify the identity.

Parameters

  • credentials - Azure authentication credentials
  • opts - Authentication options

Credential Parameters

Required Parameters

  • role - Name of the Vault role to authenticate against
  • jwt - JWT token from Azure IMDS or service principal

Resource Identification (choose one set)

  • subscription_id + resource_group_name + vm_name - For VM authentication
  • subscription_id + resource_group_name + vmss_name - For VMSS authentication
  • resource_id - Full Azure resource ID

Examples

# VM authentication
credentials = %{
  role: "my-vm-role",
  jwt: "eyJhbGciOiJSUzI1NiIs...",
  subscription_id: "12345678-1234-1234-1234-123456789012",
  resource_group_name: "my-rg",
  vm_name: "my-vm"
}
{:ok, auth} = Azure.authenticate(credentials)

# VMSS authentication
credentials = %{
  role: "my-vmss-role",
  jwt: "eyJhbGciOiJSUzI1NiIs...",
  subscription_id: "12345678-1234-1234-1234-123456789012",
  resource_group_name: "my-rg",
  vmss_name: "my-vmss"
}
{:ok, auth} = Azure.authenticate(credentials)

Returns

  • {:ok, auth_response} - Successful authentication with token details
  • {:error, error} - Authentication failure

metadata()

Return metadata about the Azure authentication method.

Provides information about the capabilities and features supported by this authentication method.

Returns

A map containing authentication method metadata including:

  • type - Authentication method type
  • description - Human-readable description
  • supports_refresh - Whether token refresh is supported
  • supports_revocation - Whether token revocation is supported

validate_credentials(credentials)

Validate Azure authentication credentials.

Ensures all required parameters are present and properly formatted for Azure authentication.

Parameters

  • credentials - Azure authentication credentials to validate

Returns

  • :ok - Credentials are valid
  • {:error, error} - Validation failed with details