From 2ea29dcaa5025b096f68a185da0ce4a5d8ba105f Mon Sep 17 00:00:00 2001 From: robmonte <17119716+robmonte@users.noreply.github.com> Date: Thu, 6 Nov 2025 14:35:43 -0600 Subject: [PATCH 1/3] Update xms fields table, API required fields on login --- .../v1.16.x/content/api-docs/auth/azure.mdx | 11 +++++++-- .../vault/v1.16.x/content/docs/auth/azure.mdx | 24 +++++++++++-------- .../v1.17.x/content/api-docs/auth/azure.mdx | 11 +++++++-- .../vault/v1.17.x/content/docs/auth/azure.mdx | 10 ++++---- .../v1.18.x/content/api-docs/auth/azure.mdx | 11 +++++++-- .../vault/v1.18.x/content/docs/auth/azure.mdx | 10 ++++---- .../v1.19.x/content/api-docs/auth/azure.mdx | 11 +++++++-- .../vault/v1.19.x/content/docs/auth/azure.mdx | 10 ++++---- .../v1.20.x/content/api-docs/auth/azure.mdx | 11 +++++++-- .../vault/v1.20.x/content/docs/auth/azure.mdx | 10 ++++---- .../v1.21.x/content/api-docs/auth/azure.mdx | 11 +++++++-- .../vault/v1.21.x/content/docs/auth/azure.mdx | 10 ++++---- 12 files changed, 98 insertions(+), 42 deletions(-) diff --git a/content/vault/v1.16.x/content/api-docs/auth/azure.mdx b/content/vault/v1.16.x/content/api-docs/auth/azure.mdx index 3f8eef4e2a..4130ff99ca 100644 --- a/content/vault/v1.16.x/content/api-docs/auth/azure.mdx +++ b/content/vault/v1.16.x/content/api-docs/auth/azure.mdx @@ -287,6 +287,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature to authenticate that entity and then authorizes the entity for the given role. +The `role` and `jwt` parameters are required. When using +`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the +information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When +using other `bound_*` parameters, calls to Azure APIs will be made and +`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required +and can be obtained through instance metadata. + | Method | Path | | :----- | :------------------ | | `POST` | `/auth/azure/login` | @@ -298,10 +305,10 @@ entity and then authorizes the entity for the given role. - `jwt` `(string: )` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token) for details on how to acquire a JWT access token through instance metadata. -- `subscription_id` `(string: )` - The subscription ID for the machine that +- `subscription_id` `(string: "")` - The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata. -- `resource_group_name` `(string: )` - The resource group for the machine that +- `resource_group_name` `(string: "")` - The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata. - `vm_name` `(string: "")` - The virtual machine name for the machine that diff --git a/content/vault/v1.16.x/content/docs/auth/azure.mdx b/content/vault/v1.16.x/content/docs/auth/azure.mdx index 925cf6c804..6cf40736ba 100644 --- a/content/vault/v1.16.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.16.x/content/docs/auth/azure.mdx @@ -23,16 +23,20 @@ please update your API calls accordingly. ## Token validation ((#token-validation)) -Vault validates the resource group (`resource_group_name`), VM name (`vm_name`) -and VM scale set name (`vmss_name`) parameters against token claims. Depending -on the identities attached to the machine generating the MSI token, the -associated claims must include at least one of the following claims -to pass validation: "xms_mirid" or "xms_az_rid". - -System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------| --------------- -Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist -Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +When using a first-party Azure resource, Vault validates the resource group +(`resource_group_name`), VM name (`vm_name`) and VM scale set name (`vmss_name`) +parameters against token claims. Depending on the identities attached to the +machine generating the MSI token, the associated claims must include at least one +of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These +claims are not present on the token when using a custom resource or a resource +URI that begins with `api://`. + +Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" +------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- +First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist +First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. diff --git a/content/vault/v1.17.x/content/api-docs/auth/azure.mdx b/content/vault/v1.17.x/content/api-docs/auth/azure.mdx index 98ebc9f2c9..297aceb57c 100644 --- a/content/vault/v1.17.x/content/api-docs/auth/azure.mdx +++ b/content/vault/v1.17.x/content/api-docs/auth/azure.mdx @@ -297,6 +297,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature to authenticate that entity and then authorizes the entity for the given role. +The `role` and `jwt` parameters are required. When using +`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the +information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When +using other `bound_*` parameters, calls to Azure APIs will be made and +`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required +and can be obtained through instance metadata. + | Method | Path | | :----- | :------------------ | | `POST` | `/auth/azure/login` | @@ -308,10 +315,10 @@ entity and then authorizes the entity for the given role. - `jwt` `(string: )` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token) for details on how to acquire a JWT access token through instance metadata. -- `subscription_id` `(string: )` - The subscription ID for the machine that +- `subscription_id` `(string: "")` - The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata. -- `resource_group_name` `(string: )` - The resource group for the machine that +- `resource_group_name` `(string: "")` - The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata. - `vm_name` `(string: "")` - The virtual machine name for the machine that diff --git a/content/vault/v1.17.x/content/docs/auth/azure.mdx b/content/vault/v1.17.x/content/docs/auth/azure.mdx index 30d3da331d..10f42bf2c6 100644 --- a/content/vault/v1.17.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.17.x/content/docs/auth/azure.mdx @@ -29,10 +29,12 @@ on the identities attached to the machine generating the MSI token, the associated claims must include at least one of the following claims to pass validation: "xms_mirid" or "xms_az_rid". -System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------| --------------- -Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist -Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" +------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- +First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist +First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. diff --git a/content/vault/v1.18.x/content/api-docs/auth/azure.mdx b/content/vault/v1.18.x/content/api-docs/auth/azure.mdx index 98ebc9f2c9..297aceb57c 100644 --- a/content/vault/v1.18.x/content/api-docs/auth/azure.mdx +++ b/content/vault/v1.18.x/content/api-docs/auth/azure.mdx @@ -297,6 +297,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature to authenticate that entity and then authorizes the entity for the given role. +The `role` and `jwt` parameters are required. When using +`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the +information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When +using other `bound_*` parameters, calls to Azure APIs will be made and +`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required +and can be obtained through instance metadata. + | Method | Path | | :----- | :------------------ | | `POST` | `/auth/azure/login` | @@ -308,10 +315,10 @@ entity and then authorizes the entity for the given role. - `jwt` `(string: )` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token) for details on how to acquire a JWT access token through instance metadata. -- `subscription_id` `(string: )` - The subscription ID for the machine that +- `subscription_id` `(string: "")` - The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata. -- `resource_group_name` `(string: )` - The resource group for the machine that +- `resource_group_name` `(string: "")` - The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata. - `vm_name` `(string: "")` - The virtual machine name for the machine that diff --git a/content/vault/v1.18.x/content/docs/auth/azure.mdx b/content/vault/v1.18.x/content/docs/auth/azure.mdx index 30d3da331d..10f42bf2c6 100644 --- a/content/vault/v1.18.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.18.x/content/docs/auth/azure.mdx @@ -29,10 +29,12 @@ on the identities attached to the machine generating the MSI token, the associated claims must include at least one of the following claims to pass validation: "xms_mirid" or "xms_az_rid". -System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------| --------------- -Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist -Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" +------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- +First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist +First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. diff --git a/content/vault/v1.19.x/content/api-docs/auth/azure.mdx b/content/vault/v1.19.x/content/api-docs/auth/azure.mdx index 4c090a857e..acb96249ee 100644 --- a/content/vault/v1.19.x/content/api-docs/auth/azure.mdx +++ b/content/vault/v1.19.x/content/api-docs/auth/azure.mdx @@ -299,6 +299,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature to authenticate that entity and then authorizes the entity for the given role. +The `role` and `jwt` parameters are required. When using +`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the +information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When +using other `bound_*` parameters, calls to Azure APIs will be made and +`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required +and can be obtained through instance metadata. + | Method | Path | | :----- | :------------------ | | `POST` | `/auth/azure/login` | @@ -310,10 +317,10 @@ entity and then authorizes the entity for the given role. - `jwt` `(string: )` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token) for details on how to acquire a JWT access token through instance metadata. -- `subscription_id` `(string: )` - The subscription ID for the machine that +- `subscription_id` `(string: "")` - The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata. -- `resource_group_name` `(string: )` - The resource group for the machine that +- `resource_group_name` `(string: "")` - The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata. - `vm_name` `(string: "")` - The virtual machine name for the machine that diff --git a/content/vault/v1.19.x/content/docs/auth/azure.mdx b/content/vault/v1.19.x/content/docs/auth/azure.mdx index 8476a72914..ac94f60a4a 100644 --- a/content/vault/v1.19.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.19.x/content/docs/auth/azure.mdx @@ -29,10 +29,12 @@ on the identities attached to the machine generating the MSI token, the associated claims must include at least one of the following claims to pass validation: "xms_mirid" or "xms_az_rid". -System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------| --------------- -Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist -Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" +------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- +First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist +First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. diff --git a/content/vault/v1.20.x/content/api-docs/auth/azure.mdx b/content/vault/v1.20.x/content/api-docs/auth/azure.mdx index 9c28c6f5e3..4921366326 100644 --- a/content/vault/v1.20.x/content/api-docs/auth/azure.mdx +++ b/content/vault/v1.20.x/content/api-docs/auth/azure.mdx @@ -302,6 +302,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature to authenticate that entity and then authorizes the entity for the given role. +The `role` and `jwt` parameters are required. When using +`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the +information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When +using other `bound_*` parameters, calls to Azure APIs will be made and +`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required +and can be obtained through instance metadata. + | Method | Path | | :----- | :------------------ | | `POST` | `/auth/azure/login` | @@ -313,10 +320,10 @@ entity and then authorizes the entity for the given role. - `jwt` `(string: )` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token) for details on how to acquire a JWT access token through instance metadata. -- `subscription_id` `(string: )` - The subscription ID for the machine that +- `subscription_id` `(string: "")` - The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata. -- `resource_group_name` `(string: )` - The resource group for the machine that +- `resource_group_name` `(string: "")` - The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata. - `vm_name` `(string: "")` - The virtual machine name for the machine that diff --git a/content/vault/v1.20.x/content/docs/auth/azure.mdx b/content/vault/v1.20.x/content/docs/auth/azure.mdx index c7e49a3e0b..3162a8d155 100644 --- a/content/vault/v1.20.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.20.x/content/docs/auth/azure.mdx @@ -29,10 +29,12 @@ on the identities attached to the machine generating the MSI token, the associated claims must include at least one of the following claims to pass validation: "xms_mirid" or "xms_az_rid". -System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------| --------------- -Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist -Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" +------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- +First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist +First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. diff --git a/content/vault/v1.21.x/content/api-docs/auth/azure.mdx b/content/vault/v1.21.x/content/api-docs/auth/azure.mdx index 9c28c6f5e3..4921366326 100644 --- a/content/vault/v1.21.x/content/api-docs/auth/azure.mdx +++ b/content/vault/v1.21.x/content/api-docs/auth/azure.mdx @@ -302,6 +302,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature to authenticate that entity and then authorizes the entity for the given role. +The `role` and `jwt` parameters are required. When using +`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the +information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When +using other `bound_*` parameters, calls to Azure APIs will be made and +`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required +and can be obtained through instance metadata. + | Method | Path | | :----- | :------------------ | | `POST` | `/auth/azure/login` | @@ -313,10 +320,10 @@ entity and then authorizes the entity for the given role. - `jwt` `(string: )` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token) for details on how to acquire a JWT access token through instance metadata. -- `subscription_id` `(string: )` - The subscription ID for the machine that +- `subscription_id` `(string: "")` - The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata. -- `resource_group_name` `(string: )` - The resource group for the machine that +- `resource_group_name` `(string: "")` - The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata. - `vm_name` `(string: "")` - The virtual machine name for the machine that diff --git a/content/vault/v1.21.x/content/docs/auth/azure.mdx b/content/vault/v1.21.x/content/docs/auth/azure.mdx index c7e49a3e0b..3162a8d155 100644 --- a/content/vault/v1.21.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.21.x/content/docs/auth/azure.mdx @@ -29,10 +29,12 @@ on the identities attached to the machine generating the MSI token, the associated claims must include at least one of the following claims to pass validation: "xms_mirid" or "xms_az_rid". -System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------| --------------- -Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist -Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" +------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- +First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist +First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. From 55b48db5136e589e99c9cc38ccea958aa4138e36 Mon Sep 17 00:00:00 2001 From: robmonte <17119716+robmonte@users.noreply.github.com> Date: Mon, 10 Nov 2025 09:49:08 -0800 Subject: [PATCH 2/3] Update token validation paragraph in all docs versions --- content/vault/v1.16.x/content/docs/auth/azure.mdx | 2 +- content/vault/v1.17.x/content/docs/auth/azure.mdx | 12 +++++++----- content/vault/v1.18.x/content/docs/auth/azure.mdx | 12 +++++++----- content/vault/v1.19.x/content/docs/auth/azure.mdx | 12 +++++++----- content/vault/v1.20.x/content/docs/auth/azure.mdx | 12 +++++++----- content/vault/v1.21.x/content/docs/auth/azure.mdx | 12 +++++++----- 6 files changed, 36 insertions(+), 26 deletions(-) diff --git a/content/vault/v1.16.x/content/docs/auth/azure.mdx b/content/vault/v1.16.x/content/docs/auth/azure.mdx index 6cf40736ba..768fd313f0 100644 --- a/content/vault/v1.16.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.16.x/content/docs/auth/azure.mdx @@ -29,7 +29,7 @@ parameters against token claims. Depending on the identities attached to the machine generating the MSI token, the associated claims must include at least one of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These claims are not present on the token when using a custom resource or a resource -URI that begins with `api://`. +URI that begins with `api://` and so cannot be used. Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- diff --git a/content/vault/v1.17.x/content/docs/auth/azure.mdx b/content/vault/v1.17.x/content/docs/auth/azure.mdx index 10f42bf2c6..bf2eb37732 100644 --- a/content/vault/v1.17.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.17.x/content/docs/auth/azure.mdx @@ -23,11 +23,13 @@ please update your API calls accordingly. ## Token validation ((#token-validation)) -Vault validates the resource group (`resource_group_name`), VM name (`vm_name`) -and VM scale set name (`vmss_name`) parameters against token claims. Depending -on the identities attached to the machine generating the MSI token, the -associated claims must include at least one of the following claims -to pass validation: "xms_mirid" or "xms_az_rid". +When using a first-party Azure resource, Vault validates the resource group +(`resource_group_name`), VM name (`vm_name`) and VM scale set name (`vmss_name`) +parameters against token claims. Depending on the identities attached to the +machine generating the MSI token, the associated claims must include at least one +of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These +claims are not present on the token when using a custom resource or a resource +URI that begins with `api://` and so cannot be used. Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- diff --git a/content/vault/v1.18.x/content/docs/auth/azure.mdx b/content/vault/v1.18.x/content/docs/auth/azure.mdx index 10f42bf2c6..bf2eb37732 100644 --- a/content/vault/v1.18.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.18.x/content/docs/auth/azure.mdx @@ -23,11 +23,13 @@ please update your API calls accordingly. ## Token validation ((#token-validation)) -Vault validates the resource group (`resource_group_name`), VM name (`vm_name`) -and VM scale set name (`vmss_name`) parameters against token claims. Depending -on the identities attached to the machine generating the MSI token, the -associated claims must include at least one of the following claims -to pass validation: "xms_mirid" or "xms_az_rid". +When using a first-party Azure resource, Vault validates the resource group +(`resource_group_name`), VM name (`vm_name`) and VM scale set name (`vmss_name`) +parameters against token claims. Depending on the identities attached to the +machine generating the MSI token, the associated claims must include at least one +of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These +claims are not present on the token when using a custom resource or a resource +URI that begins with `api://` and so cannot be used. Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- diff --git a/content/vault/v1.19.x/content/docs/auth/azure.mdx b/content/vault/v1.19.x/content/docs/auth/azure.mdx index ac94f60a4a..1ab00ee686 100644 --- a/content/vault/v1.19.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.19.x/content/docs/auth/azure.mdx @@ -23,11 +23,13 @@ please update your API calls accordingly. ## Token validation ((#token-validation)) -Vault validates the resource group (`resource_group_name`), VM name (`vm_name`) -and VM scale set name (`vmss_name`) parameters against token claims. Depending -on the identities attached to the machine generating the MSI token, the -associated claims must include at least one of the following claims -to pass validation: "xms_mirid" or "xms_az_rid". +When using a first-party Azure resource, Vault validates the resource group +(`resource_group_name`), VM name (`vm_name`) and VM scale set name (`vmss_name`) +parameters against token claims. Depending on the identities attached to the +machine generating the MSI token, the associated claims must include at least one +of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These +claims are not present on the token when using a custom resource or a resource +URI that begins with `api://` and so cannot be used. Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- diff --git a/content/vault/v1.20.x/content/docs/auth/azure.mdx b/content/vault/v1.20.x/content/docs/auth/azure.mdx index 3162a8d155..570868f78a 100644 --- a/content/vault/v1.20.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.20.x/content/docs/auth/azure.mdx @@ -23,11 +23,13 @@ please update your API calls accordingly. ## Token validation ((#token-validation)) -Vault validates the resource group (`resource_group_name`), VM name (`vm_name`) -and VM scale set name (`vmss_name`) parameters against token claims. Depending -on the identities attached to the machine generating the MSI token, the -associated claims must include at least one of the following claims -to pass validation: "xms_mirid" or "xms_az_rid". +When using a first-party Azure resource, Vault validates the resource group +(`resource_group_name`), VM name (`vm_name`) and VM scale set name (`vmss_name`) +parameters against token claims. Depending on the identities attached to the +machine generating the MSI token, the associated claims must include at least one +of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These +claims are not present on the token when using a custom resource or a resource +URI that begins with `api://` and so cannot be used. Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- diff --git a/content/vault/v1.21.x/content/docs/auth/azure.mdx b/content/vault/v1.21.x/content/docs/auth/azure.mdx index 3162a8d155..570868f78a 100644 --- a/content/vault/v1.21.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.21.x/content/docs/auth/azure.mdx @@ -23,11 +23,13 @@ please update your API calls accordingly. ## Token validation ((#token-validation)) -Vault validates the resource group (`resource_group_name`), VM name (`vm_name`) -and VM scale set name (`vmss_name`) parameters against token claims. Depending -on the identities attached to the machine generating the MSI token, the -associated claims must include at least one of the following claims -to pass validation: "xms_mirid" or "xms_az_rid". +When using a first-party Azure resource, Vault validates the resource group +(`resource_group_name`), VM name (`vm_name`) and VM scale set name (`vmss_name`) +parameters against token claims. Depending on the identities attached to the +machine generating the MSI token, the associated claims must include at least one +of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These +claims are not present on the token when using a custom resource or a resource +URI that begins with `api://` and so cannot be used. Resource type | System-assigned management identity | "xms_mirid" | "xms_az_rid" ------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- From 6adc60e54ddec5b16154781871939e6d58209987 Mon Sep 17 00:00:00 2001 From: robmonte <17119716+robmonte@users.noreply.github.com> Date: Mon, 10 Nov 2025 13:45:53 -0800 Subject: [PATCH 3/3] Fix table value --- content/vault/v1.16.x/content/docs/auth/azure.mdx | 2 +- content/vault/v1.17.x/content/docs/auth/azure.mdx | 2 +- content/vault/v1.18.x/content/docs/auth/azure.mdx | 2 +- content/vault/v1.19.x/content/docs/auth/azure.mdx | 2 +- content/vault/v1.20.x/content/docs/auth/azure.mdx | 2 +- content/vault/v1.21.x/content/docs/auth/azure.mdx | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/content/vault/v1.16.x/content/docs/auth/azure.mdx b/content/vault/v1.16.x/content/docs/auth/azure.mdx index 768fd313f0..1aaa1ae166 100644 --- a/content/vault/v1.16.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.16.x/content/docs/auth/azure.mdx @@ -36,7 +36,7 @@ Resource type | System-assigned management identity | "x First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist -Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Not enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. diff --git a/content/vault/v1.17.x/content/docs/auth/azure.mdx b/content/vault/v1.17.x/content/docs/auth/azure.mdx index bf2eb37732..060f1bfb2f 100644 --- a/content/vault/v1.17.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.17.x/content/docs/auth/azure.mdx @@ -36,7 +36,7 @@ Resource type | System-assigned management identity | "x First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist -Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Not enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. diff --git a/content/vault/v1.18.x/content/docs/auth/azure.mdx b/content/vault/v1.18.x/content/docs/auth/azure.mdx index bf2eb37732..060f1bfb2f 100644 --- a/content/vault/v1.18.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.18.x/content/docs/auth/azure.mdx @@ -36,7 +36,7 @@ Resource type | System-assigned management identity | "x First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist -Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Not enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. diff --git a/content/vault/v1.19.x/content/docs/auth/azure.mdx b/content/vault/v1.19.x/content/docs/auth/azure.mdx index 1ab00ee686..0b0cd233fb 100644 --- a/content/vault/v1.19.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.19.x/content/docs/auth/azure.mdx @@ -36,7 +36,7 @@ Resource type | System-assigned management identity | "x First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist -Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Not enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. diff --git a/content/vault/v1.20.x/content/docs/auth/azure.mdx b/content/vault/v1.20.x/content/docs/auth/azure.mdx index 570868f78a..99970e8603 100644 --- a/content/vault/v1.20.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.20.x/content/docs/auth/azure.mdx @@ -36,7 +36,7 @@ Resource type | System-assigned management identity | "x First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist -Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Not enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens. diff --git a/content/vault/v1.21.x/content/docs/auth/azure.mdx b/content/vault/v1.21.x/content/docs/auth/azure.mdx index 570868f78a..99970e8603 100644 --- a/content/vault/v1.21.x/content/docs/auth/azure.mdx +++ b/content/vault/v1.21.x/content/docs/auth/azure.mdx @@ -36,7 +36,7 @@ Resource type | System-assigned management identity | "x First-party Azure resource | Enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist First-party Azure resource | Not enabled | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist -Custom resource or API (`api://{id}`) | Enabled | Does not exist | Does not exist +Custom resource or API (`api://{id}`) | Not enabled | Does not exist | Does not exist See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens.