diff --git a/content/vault/v1.21.x/content/api-docs/secret/azure.mdx b/content/vault/v1.21.x/content/api-docs/secret/azure.mdx index fa583a169..055d6298f 100644 --- a/content/vault/v1.21.x/content/api-docs/secret/azure.mdx +++ b/content/vault/v1.21.x/content/api-docs/secret/azure.mdx @@ -46,9 +46,6 @@ plugin workload identity federation (WIF). environment variable. If not specified, Vault will use Azure Public Cloud. - `root_password_ttl` `(string: 182d)` - Specifies how long the root password is valid for in Azure when rotate-root generates a new client secret. Uses [duration format strings](/vault/docs/concepts/duration-format). -- `metadata` (`map[string]string: {}`) - A map of string to string key/value pairs that will be stored - as metadata for the mount. This can be used to store additional information about the - mount for reference purposes. @include 'rotationfields.mdx' @@ -465,22 +462,22 @@ Create or update static role definitions used to manage pre-existing as time suffixed strings (`"1h"`) or an integer number of seconds. Leave `ttl` unset or set to `0` to use the default value of 2 years (`17520h`). -- `metadata` (`map[string]string: {}`) - A map of string to string key/value pairs that will be stored - as metadata for the mount. This can be used to store additional information about the - mount for reference purposes. The data stored here is displayed in the response of - `/azure/static-roles/:name` and `/azure/static-creds/:name` in the `metadata` field. - When also setting the `metadata` parameter on `/azure/static-creds/:name`, the two - maps will be merged in the response of `/azure/static-creds/:name`, with the values from `/azure/static-roles/:name` - taking precedence in the event of key collisions. +- `metadata` (`map[string]string: {}`) - A map of key/value pairs associated with the static role. + You can read metadata values from both the `/azure/static-roles/:name` and `/azure/static-creds/:name` + endpoints. When credentials are fetched, role metadata is merged with any metadata provided in the request, + and role metadata always takes precedence if keys overlap. - `secret_id` (`string: ""`) - The secret ID of the Azure password credential you want to import. Required if you provide `client_secret` or `expiration`. - `client_secret` (`string: ""`) - The plaintext secret value of the credential you want to import. If unset, you must rotate the imported credential before you can use it with Vault. - `expiration` (`string: ""`) - A future expiration time for the imported credential, in RFC3339 format. -- `skip_import_rotation` (`bool: false`) – If set to true, Vault stores the - imported credential values without automatically rotating them. You cannot - read the imported credentials until you manually rotate them. +- `skip_import_rotation` (`bool`, `false`) - Determines whether Vault should generate credentials + automatically when creating a role. Set `skip_import_rotation` to `true` if you do not + want Vault to create initial credentials on role creation. If you skip credential creation, + you can generate them later manually by rotating the role using `/rotate-role` endpoint or by importing. + If you omit `skip_import_rotation` or set it to `false`, Vault automatically provisions the + first set of credentials during role creation. ### Sample payload @@ -600,13 +597,11 @@ Generate credentials associated with the named static role. ### Path parameters - `name` `(string: )` – Name of the static role to get credentials for. -- `metadata` (`map[string]any: {}`) - A map of string to string key/value pairs that will be stored - as metadata for the mount. This can be used to store additional information about the - mount for reference purposes. The data stored here is displayed in the response of - `/azure/static-roles/:name` and `/azure/static-creds/:name` in the `metadata` field. - When also setting the `metadata` parameter on `/azure/static-creds/:name`, the two - maps will be merged in the response of `/azure/static-creds/:name`, with the values from `/azure/static-roles/:name` - taking precedence in the event of key collisions. +- `metadata` (`map: {}`) - Key/value pairs attached to the credential request. + Vault merges the request metadata with the role’s stored metadata, with role metadata taking + precedence when keys overlap. Key/value pairs appear as strings separated by the `=` symbol + (e.g. `key=value`). When using the Vault CLI, you can provide multiple tags in the role + configuration by adding multiple `metadata` assignments in the same command. ### Sample request diff --git a/content/vault/v1.21.x/content/docs/secrets/azure.mdx b/content/vault/v1.21.x/content/docs/secrets/azure.mdx index 2c2f300ae..85c4e1af1 100644 --- a/content/vault/v1.21.x/content/docs/secrets/azure.mdx +++ b/content/vault/v1.21.x/content/docs/secrets/azure.mdx @@ -490,9 +490,9 @@ lifecycle controls. You can import credentials in the following ways: -- Metadata import - Provide the `secret_id` and an optional `expiration` for the - credential. Vault records the metadata but blocks reads until you explicitly - rotate the role to generate a valid secret. +- Metadata import - Provide the `secret_id`, `skip_import_rotation=true`, + and an optional `expiration` for the credential. Vault records the metadata + but blocks reads until you explicitly rotate the role to generate a valid secret. - Full import - Provide the `secret_id`, `client_secret`, and an optional `expiration`. You can use the imported credential immediately in Vault. - Rotate on import - Provide the `secret_id` and leave `skip_import_rotation`