• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

.circleci/H07-Jul-2021-2218

.github/H07-Jul-2021-10995

cmd/vault-plugin-auth-azure/H07-Jul-2021-2923

scripts/H07-Jul-2021-12374

vendor/H03-May-2022-464,785369,738

.gitignoreH A D07-Jul-2021371 2720

LICENSEH A D07-Jul-202115.5 KiB363265

MakefileH A D07-Jul-20211.5 KiB5636

README.mdH A D07-Jul-20214.4 KiB13091

azure.goH A D07-Jul-20216.6 KiB245201

azure_test.goH A D07-Jul-20212.2 KiB9273

backend.goH A D07-Jul-20211.7 KiB10078

backend_test.goH A D07-Jul-2021946 3631

go.modH A D07-Jul-2021793 2017

go.sumH A D07-Jul-202121.2 KiB222221

path_config.goH A D07-Jul-20215.1 KiB186158

path_config_test.goH A D07-Jul-20211.9 KiB8974

path_login.goH A D07-Jul-202110 KiB345279

path_login_test.goH A D07-Jul-202113.7 KiB513432

path_role.goH A D07-Jul-202112.3 KiB389310

path_role_test.goH A D07-Jul-2021507 2622

util.goH A D07-Jul-20211.6 KiB6948

util_test.goH A D07-Jul-20211.8 KiB8367

README.md

1# Vault Plugin: Azure Auth Backend [![Build Status](https://travis-ci.org/hashicorp/vault-plugin-auth-azure.svg?branch=master)](https://travis-ci.org/hashicorp/vault-plugin-auth-azure)
2
3
4This is a standalone backend plugin for use with [Hashicorp Vault](https://www.github.com/hashicorp/vault).
5This plugin allows for Azure Managed Service Identities to authenticate with Vault.
6
7**Please note**: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, _please responsibly disclose_ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
8
9## Quick Links
10    - Vault Website: https://www.vaultproject.io
11    - Azure Auth Docs: https://www.vaultproject.io/docs/auth/azure.html
12    - Main Project Github: https://www.github.com/hashicorp/vault
13
14
15## Getting Started
16
17This is a [Vault plugin](https://www.vaultproject.io/docs/internals/plugins.html)
18and is meant to work with Vault. This guide assumes you have already installed Vault
19and have a basic understanding of how Vault works.
20
21Otherwise, first read this guide on how to [get started with Vault](https://www.vaultproject.io/intro/getting-started/install.html).
22
23To learn specifically about how plugins work, see documentation on [Vault plugins](https://www.vaultproject.io/docs/internals/plugins.html).
24
25## Security Model
26
27The current authentication model requires providing Vault with a token generated using Azure's Managed Service Identity, which can be used to make authenticated calls to Azure. This token should not typically be shared, but in order for Azure to be treated as a trusted third party, Vault must validate something that Azure has cryptographically signed and that conveys the identity of the token holder.
28
29## Usage
30
31Please see [documentation for the plugin](https://www.vaultproject.io/docs/auth/azure.html)
32on the Vault website.
33
34This plugin is currently built into Vault and by default is accessed
35at `auth/azure`. To enable this in a running Vault server:
36
37```sh
38$ vault auth enable azure
39Successfully enabled 'azure' at 'azure'!
40```
41
42To see all the supported paths, see the [Azure auth backend docs](https://www.vaultproject.io/docs/auth/azure.html).
43
44## Developing
45
46If you wish to work on this plugin, you'll first need
47[Go](https://www.golang.org) installed on your machine.
48
49For local dev first make sure Go is properly installed, including
50setting up a [GOPATH](https://golang.org/doc/code.html#GOPATH).
51Next, clone this repository into
52`$GOPATH/src/github.com/hashicorp/vault-plugin-auth-azure`.
53You can then download any required build tools by bootstrapping your
54environment:
55
56```sh
57$ make bootstrap
58```
59
60To compile a development version of this plugin, run `make` or `make dev`.
61This will put the plugin binary in the `bin` and `$GOPATH/bin` folders. `dev`
62mode will only generate the binary for your platform and is faster:
63
64```sh
65$ make
66$ make dev
67```
68
69Put the plugin binary into a location of your choice. This directory
70will be specified as the [`plugin_directory`](https://www.vaultproject.io/docs/configuration/index.html#plugin_directory)
71in the Vault config used to start the server.
72
73```json
74...
75plugin_directory = "path/to/plugin/directory"
76...
77```
78
79Start a Vault server with this config file:
80```sh
81$ vault server -config=path/to/config.json ...
82...
83```
84
85Once the server is started, register the plugin in the Vault server's [plugin catalog](https://www.vaultproject.io/docs/internals/plugins.html#plugin-catalog):
86
87```sh
88$ vault write sys/plugins/catalog/azure \
89        sha_256=<expected SHA256 Hex value of the plugin binary> \
90        command="vault-plugin-auth-azure"
91...
92Success! Data written to: sys/plugins/catalog/azure
93```
94
95Note you should generate a new sha256 checksum if you have made changes
96to the plugin. Example using openssl:
97
98```sh
99openssl dgst -sha256 $GOPATH/vault-plugin-auth-azure
100...
101SHA256(.../go/bin/vault-plugin-auth-azure)= 896c13c0f5305daed381952a128322e02bc28a57d0c862a78cbc2ea66e8c6fa1
102```
103
104Enable the auth plugin backend using the Azure auth plugin:
105
106```sh
107$ vault auth enable -plugin-name='azure' plugin
108...
109
110Successfully enabled 'plugin' at 'azure'!
111```
112
113#### Tests
114
115If you are developing this plugin and want to verify it is still
116functioning (and you haven't broken anything else), we recommend
117running the tests.
118
119To run the tests, invoke `make test`:
120
121```sh
122$ make test
123```
124
125You can also specify a `TESTARGS` variable to filter tests like so:
126
127```sh
128$ make test TESTARGS='--run=TestConfig'
129```
130