diff --git a/content/vault/v1.16.x/content/api-docs/auth/azure.mdx b/content/vault/v1.16.x/content/api-docs/auth/azure.mdx index 3f8eef4e2a..4130ff99ca 100644 --- a/content/vault/v1.16.x/content/api-docs/auth/azure.mdx +++ b/content/vault/v1.16.x/content/api-docs/auth/azure.mdx @@ -287,6 +287,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature to authenticate that entity and then authorizes the entity for the given role. +The `role` and `jwt` parameters are required. When using +`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the +information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When +using other `bound_*` parameters, calls to Azure APIs will be made and +`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required +and can be obtained through instance metadata. + | Method | Path | | :----- | :------------------ | | `POST` | `/auth/azure/login` | @@ -298,10 +305,10 @@ entity and then authorizes the entity for the given role. - `jwt` `(string: )` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token) for details on how to acquire a JWT access token through instance metadata. -- `subscription_id` `(string: )` - The subscription ID for the machine that +- `subscription_id` `(string: "")` - The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata. -- `resource_group_name` `(string: )` - The resource group for the machine that +- `resource_group_name` `(string: "")` - The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata. - `vm_name` `(string: "")` - The virtual machine name for the machine that diff --git a/content/vault/v1.16.x/content/docs/auth/azure.mdx b/content/vault/v1.16.x/content/docs/auth/azure.mdx index 925cf6c804..1aaa1ae166 100644 --- a/content/vault/v1.16.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.16.x/content/docs/auth/azure.mdx @@ -23,16 +23,20 @@ please update your API calls accordingly. ## Token validation ((#token-validation)) -Vault validates the resource group (`resource_group_name`), VM name (`vm_name`) -and VM scale set name (`vmss_name`) parameters against token claims. Depending -on the identities attached to the machine generating the MSI token, the -associated claims must include at least one of the following claims -to pass validation: "xms_mirid" or "xms_az_rid". - -System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------| --------------- -Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist -Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +When using a first-party Azure resource, Vault validates the resource group +(`resource_group_name`), VM name (`vm_name`) and VM scale set name (`vmss_name`) +parameters against token claims. Depending on the identities attached to the +machine generating the MSI token, the associated claims must include at least one +of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These +claims are not present on the token when using a custom resource or a resource +URI that begins with `api://` and so cannot be used. + +Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" +------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- +First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist +First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Not enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. diff --git a/content/vault/v1.17.x/content/api-docs/auth/azure.mdx b/content/vault/v1.17.x/content/api-docs/auth/azure.mdx index 98ebc9f2c9..297aceb57c 100644 --- a/content/vault/v1.17.x/content/api-docs/auth/azure.mdx +++ b/content/vault/v1.17.x/content/api-docs/auth/azure.mdx @@ -297,6 +297,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature to authenticate that entity and then authorizes the entity for the given role. +The `role` and `jwt` parameters are required. When using +`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the +information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When +using other `bound_*` parameters, calls to Azure APIs will be made and +`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required +and can be obtained through instance metadata. + | Method | Path | | :----- | :------------------ | | `POST` | `/auth/azure/login` | @@ -308,10 +315,10 @@ entity and then authorizes the entity for the given role. - `jwt` `(string: )` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token) for details on how to acquire a JWT access token through instance metadata. -- `subscription_id` `(string: )` - The subscription ID for the machine that +- `subscription_id` `(string: "")` - The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata. -- `resource_group_name` `(string: )` - The resource group for the machine that +- `resource_group_name` `(string: "")` - The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata. - `vm_name` `(string: "")` - The virtual machine name for the machine that diff --git a/content/vault/v1.17.x/content/docs/auth/azure.mdx b/content/vault/v1.17.x/content/docs/auth/azure.mdx index 30d3da331d..060f1bfb2f 100644 --- a/content/vault/v1.17.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.17.x/content/docs/auth/azure.mdx @@ -23,16 +23,20 @@ please update your API calls accordingly. ## Token validation ((#token-validation)) -Vault validates the resource group (`resource_group_name`), VM name (`vm_name`) -and VM scale set name (`vmss_name`) parameters against token claims. Depending -on the identities attached to the machine generating the MSI token, the -associated claims must include at least one of the following claims -to pass validation: "xms_mirid" or "xms_az_rid". - -System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------| --------------- -Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist -Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +When using a first-party Azure resource, Vault validates the resource group +(`resource_group_name`), VM name (`vm_name`) and VM scale set name (`vmss_name`) +parameters against token claims. Depending on the identities attached to the +machine generating the MSI token, the associated claims must include at least one +of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These +claims are not present on the token when using a custom resource or a resource +URI that begins with `api://` and so cannot be used. + +Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" +------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- +First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist +First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Not enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. diff --git a/content/vault/v1.18.x/content/api-docs/auth/azure.mdx b/content/vault/v1.18.x/content/api-docs/auth/azure.mdx index 98ebc9f2c9..297aceb57c 100644 --- a/content/vault/v1.18.x/content/api-docs/auth/azure.mdx +++ b/content/vault/v1.18.x/content/api-docs/auth/azure.mdx @@ -297,6 +297,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature to authenticate that entity and then authorizes the entity for the given role. +The `role` and `jwt` parameters are required. When using +`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the +information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When +using other `bound_*` parameters, calls to Azure APIs will be made and +`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required +and can be obtained through instance metadata. + | Method | Path | | :----- | :------------------ | | `POST` | `/auth/azure/login` | @@ -308,10 +315,10 @@ entity and then authorizes the entity for the given role. - `jwt` `(string: )` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token) for details on how to acquire a JWT access token through instance metadata. -- `subscription_id` `(string: )` - The subscription ID for the machine that +- `subscription_id` `(string: "")` - The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata. -- `resource_group_name` `(string: )` - The resource group for the machine that +- `resource_group_name` `(string: "")` - The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata. - `vm_name` `(string: "")` - The virtual machine name for the machine that diff --git a/content/vault/v1.18.x/content/docs/auth/azure.mdx b/content/vault/v1.18.x/content/docs/auth/azure.mdx index 30d3da331d..060f1bfb2f 100644 --- a/content/vault/v1.18.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.18.x/content/docs/auth/azure.mdx @@ -23,16 +23,20 @@ please update your API calls accordingly. ## Token validation ((#token-validation)) -Vault validates the resource group (`resource_group_name`), VM name (`vm_name`) -and VM scale set name (`vmss_name`) parameters against token claims. Depending -on the identities attached to the machine generating the MSI token, the -associated claims must include at least one of the following claims -to pass validation: "xms_mirid" or "xms_az_rid". - -System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------| --------------- -Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist -Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +When using a first-party Azure resource, Vault validates the resource group +(`resource_group_name`), VM name (`vm_name`) and VM scale set name (`vmss_name`) +parameters against token claims. Depending on the identities attached to the +machine generating the MSI token, the associated claims must include at least one +of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These +claims are not present on the token when using a custom resource or a resource +URI that begins with `api://` and so cannot be used. + +Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" +------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- +First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist +First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Not enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. diff --git a/content/vault/v1.19.x/content/api-docs/auth/azure.mdx b/content/vault/v1.19.x/content/api-docs/auth/azure.mdx index 4c090a857e..acb96249ee 100644 --- a/content/vault/v1.19.x/content/api-docs/auth/azure.mdx +++ b/content/vault/v1.19.x/content/api-docs/auth/azure.mdx @@ -299,6 +299,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature to authenticate that entity and then authorizes the entity for the given role. +The `role` and `jwt` parameters are required. When using +`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the +information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When +using other `bound_*` parameters, calls to Azure APIs will be made and +`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required +and can be obtained through instance metadata. + | Method | Path | | :----- | :------------------ | | `POST` | `/auth/azure/login` | @@ -310,10 +317,10 @@ entity and then authorizes the entity for the given role. - `jwt` `(string: )` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token) for details on how to acquire a JWT access token through instance metadata. -- `subscription_id` `(string: )` - The subscription ID for the machine that +- `subscription_id` `(string: "")` - The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata. -- `resource_group_name` `(string: )` - The resource group for the machine that +- `resource_group_name` `(string: "")` - The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata. - `vm_name` `(string: "")` - The virtual machine name for the machine that diff --git a/content/vault/v1.19.x/content/docs/auth/azure.mdx b/content/vault/v1.19.x/content/docs/auth/azure.mdx index 8476a72914..0b0cd233fb 100644 --- a/content/vault/v1.19.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.19.x/content/docs/auth/azure.mdx @@ -23,16 +23,20 @@ please update your API calls accordingly. ## Token validation ((#token-validation)) -Vault validates the resource group (`resource_group_name`), VM name (`vm_name`) -and VM scale set name (`vmss_name`) parameters against token claims. Depending -on the identities attached to the machine generating the MSI token, the -associated claims must include at least one of the following claims -to pass validation: "xms_mirid" or "xms_az_rid". - -System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------| --------------- -Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist -Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +When using a first-party Azure resource, Vault validates the resource group +(`resource_group_name`), VM name (`vm_name`) and VM scale set name (`vmss_name`) +parameters against token claims. Depending on the identities attached to the +machine generating the MSI token, the associated claims must include at least one +of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These +claims are not present on the token when using a custom resource or a resource +URI that begins with `api://` and so cannot be used. + +Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" +------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- +First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist +First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Not enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. diff --git a/content/vault/v1.20.x/content/api-docs/auth/azure.mdx b/content/vault/v1.20.x/content/api-docs/auth/azure.mdx index 9c28c6f5e3..4921366326 100644 --- a/content/vault/v1.20.x/content/api-docs/auth/azure.mdx +++ b/content/vault/v1.20.x/content/api-docs/auth/azure.mdx @@ -302,6 +302,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature to authenticate that entity and then authorizes the entity for the given role. +The `role` and `jwt` parameters are required. When using +`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the +information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When +using other `bound_*` parameters, calls to Azure APIs will be made and +`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required +and can be obtained through instance metadata. + | Method | Path | | :----- | :------------------ | | `POST` | `/auth/azure/login` | @@ -313,10 +320,10 @@ entity and then authorizes the entity for the given role. - `jwt` `(string: )` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token) for details on how to acquire a JWT access token through instance metadata. -- `subscription_id` `(string: )` - The subscription ID for the machine that +- `subscription_id` `(string: "")` - The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata. -- `resource_group_name` `(string: )` - The resource group for the machine that +- `resource_group_name` `(string: "")` - The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata. - `vm_name` `(string: "")` - The virtual machine name for the machine that diff --git a/content/vault/v1.20.x/content/docs/auth/azure.mdx b/content/vault/v1.20.x/content/docs/auth/azure.mdx index c7e49a3e0b..99970e8603 100644 --- a/content/vault/v1.20.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.20.x/content/docs/auth/azure.mdx @@ -23,16 +23,20 @@ please update your API calls accordingly. ## Token validation ((#token-validation)) -Vault validates the resource group (`resource_group_name`), VM name (`vm_name`) -and VM scale set name (`vmss_name`) parameters against token claims. Depending -on the identities attached to the machine generating the MSI token, the -associated claims must include at least one of the following claims -to pass validation: "xms_mirid" or "xms_az_rid". - -System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------| --------------- -Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist -Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +When using a first-party Azure resource, Vault validates the resource group +(`resource_group_name`), VM name (`vm_name`) and VM scale set name (`vmss_name`) +parameters against token claims. Depending on the identities attached to the +machine generating the MSI token, the associated claims must include at least one +of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These +claims are not present on the token when using a custom resource or a resource +URI that begins with `api://` and so cannot be used. + +Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" +------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- +First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist +First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Not enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. diff --git a/content/vault/v1.21.x/content/api-docs/auth/azure.mdx b/content/vault/v1.21.x/content/api-docs/auth/azure.mdx index 9c28c6f5e3..4921366326 100644 --- a/content/vault/v1.21.x/content/api-docs/auth/azure.mdx +++ b/content/vault/v1.21.x/content/api-docs/auth/azure.mdx @@ -302,6 +302,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature to authenticate that entity and then authorizes the entity for the given role. +The `role` and `jwt` parameters are required. When using +`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the +information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When +using other `bound_*` parameters, calls to Azure APIs will be made and +`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required +and can be obtained through instance metadata. + | Method | Path | | :----- | :------------------ | | `POST` | `/auth/azure/login` | @@ -313,10 +320,10 @@ entity and then authorizes the entity for the given role. - `jwt` `(string: )` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token) for details on how to acquire a JWT access token through instance metadata. -- `subscription_id` `(string: )` - The subscription ID for the machine that +- `subscription_id` `(string: "")` - The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata. -- `resource_group_name` `(string: )` - The resource group for the machine that +- `resource_group_name` `(string: "")` - The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata. - `vm_name` `(string: "")` - The virtual machine name for the machine that diff --git a/content/vault/v1.21.x/content/docs/auth/azure.mdx b/content/vault/v1.21.x/content/docs/auth/azure.mdx index c7e49a3e0b..99970e8603 100644 --- a/content/vault/v1.21.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.21.x/content/docs/auth/azure.mdx @@ -23,16 +23,20 @@ please update your API calls accordingly. ## Token validation ((#token-validation)) -Vault validates the resource group (`resource_group_name`), VM name (`vm_name`) -and VM scale set name (`vmss_name`) parameters against token claims. Depending -on the identities attached to the machine generating the MSI token, the -associated claims must include at least one of the following claims -to pass validation: "xms_mirid" or "xms_az_rid". - -System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------| --------------- -Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist -Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +When using a first-party Azure resource, Vault validates the resource group +(`resource_group_name`), VM name (`vm_name`) and VM scale set name (`vmss_name`) +parameters against token claims. Depending on the identities attached to the +machine generating the MSI token, the associated claims must include at least one +of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These +claims are not present on the token when using a custom resource or a resource +URI that begins with `api://` and so cannot be used. + +Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" +------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- +First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist +First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Not enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens.