Skip to content

Latest commit

 

History

History
64 lines (55 loc) · 4.02 KB

secret-azure.md

File metadata and controls

64 lines (55 loc) · 4.02 KB

Azure Secrets Engine Benchmark (azure_secret)

This benchmark will test the dynamic generation of Azure credentials.

Benchmark Configuration Parameters

Azure Configuration (azure)

  • subscription_id (string: <required>) - The subscription id for the Azure Active Directory. This value can also be provided with the VAULT_BENCHMARK_SUBSCRIPTION_ID environment variable.
  • tenant_id (string: <required>) - The tenant id for the Azure Active Directory. This value can also be provided with the VAULT_BENCHMARK_TENANT_ID environment variable.
  • client_id (string:"") - The OAuth2 client id to connect to Azure. This value can also be provided with the VAULT_BENCHMARK_CLIENT_ID environment variable. See authentication for more details.
  • client_secret (string:"") - The OAuth2 client secret to connect to Azure. This value can also be provided with the VAULT_BENCHMARK_CLIENT_SECRET environment variable. See authentication for more details.
  • environment (string:"") - The Azure environment. This value can also be provided with the VAULT_BENCHMARK_ENVIRONMENT environment variable. If not specified, Vault will use Azure Public Cloud.
  • password_policy (string: "") - Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.
  • root_password_ttl (string: "182d") - Specifies how long the root password is valid for in Azure when rotate-root generates a new client secret. Uses duration format strings.

Azure Role (role)

  • role (string: "benchmark-role") - Name of role.
  • azure_roles (string: "") - List of Azure roles to be assigned to the generated service principal. The array must be in JSON format, properly escaped as a string. See roles docs for details on role definition.
  • azure_groups (string: "") - List of Azure groups that the generated service principal will be assigned to. The array must be in JSON format, properly escaped as a string. See groups docs for more details.
  • application_object_id (string: "") - Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. If present, azure_roles will be ignored. See roles docs for details on role definition.
  • persist_app (bool: "false") – If set to true, persists the created service principal and application for the lifetime of the role. Useful for when the Service Principal needs to maintain ownership of objects it creates
  • ttl (string: "") – Specifies the default TTL for service principals generated using this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
  • max_ttl (string: "") – Specifies the maximum TTL for service principals generated using this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
  • permanently_delete (bool: false) - Specifies whether to permanently delete Applications and Service Principals that are dynamically created by Vault. If application_object_id is present, permanently_delete must be false.

Example HCL

test "azure_secret" "azure_secret1" {
    weight = 100
    config {
        azure {
            subscription_id = "subscription_id"
            tenant_id = "tenant_id"
            client_id = "client_id"
            client_secret = "client_secret"
        }

        role {
            ttl="1h"
            application_object_id="application_object_id"
        }
    }
}