aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b24f6dcee8'
${ noResults }
boundary/website/content/docs/configuration/kms/azurekeyvault.mdx

67 lines
2.4 KiB
Raw Blame History

---
layout: docs
page_title: Azure Key Vault - seals - configuration
description: >-
The Azure Key Vault seal configures Boundary to use Azure Key Vault for key management.
---
# `azurekeyvault` KMS
The Azure Key Vault KMS configures Boundary to use Azure Key Vault for key management.
The Azure Key Vault KMS is activated by one of the following:
- The presence of a `seal "azurekeyvault"` block in Boundary's configuration file.
## `azurekeyvault` example
This example shows configuring Azure Key Vault KMS through the Boundary
configuration file by providing all the required values:
```hcl
kms "azurekeyvault" {
purpose = "root"
tenant_id = "46646709-b63e-4747-be42-516edeaf1e14"
client_id = "03dc33fc-16d9-4b77-8152-3ec568f8af6e"
client_secret = "DUJDS3..."
vault_name = "hc-vault"
key_name = "vault_key"
}
```
## `azurekeyvault` parameters
These parameters apply to the `kms` stanza in the Vault configuration file:
- `purpose` - Purpose of this KMS, acceptable values are: `worker-auth`, `worker-auth-storage`,
`root`, `previous-root`, `recovery`, `bsr`, or `config`.
- `tenant_id` `(string: <required>)`: The tenant id for the Azure Active Directory organization. May
also be specified by the `AZURE_TENANT_ID` environment variable.
- `client_id` `(string: <required or MSI>)`: The client id for credentials to query the Azure APIs.
May also be specified by the `AZURE_CLIENT_ID` environment variable.
- `client_secret` `(string: <required or MSI>)`: The client secret for credentials to query the Azure APIs.
May also be specified by the `AZURE_CLIENT_SECRET` environment variable.
- `environment` `(string: "AZUREPUBLICCLOUD")`: The Azure Cloud environment API endpoints to use. May also
be specified by the `AZURE_ENVIRONMENT` environment variable.
- `vault_name` `(string: <required>)`: The Key Vault vault to use the encryption keys for encryption and
decryption. May also be specified by the `AZUREKEYVAULT_WRAPPER_VAULT_NAME` environment variable.
- `key_name` `(string: <required>)`: The Key Vault key to use for encryption and decryption. May also be specified by the
`AZUREKEYVAULT_WRAPPER_KEY_NAME` environment variable.
## Authentication
Authentication-related values must be provided, either as environment
variables or as configuration parameters.
Azure authentication values:
- `AZURE_TENANT_ID`
- `AZURE_CLIENT_ID`
- `AZURE_CLIENT_SECRET`
- `AZURE_ENVIRONMENT`
Reference in new issue View Git Blame Copy Permalink