Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate to use Microsoft Authentication Library and Microsoft Graph API #12545

Closed
olafz opened this issue Sep 14, 2021 · 5 comments
Closed

Migrate to use Microsoft Authentication Library and Microsoft Graph API #12545

olafz opened this issue Sep 14, 2021 · 5 comments
Labels
ecosystem enhancement secret/azure

Comments

@olafz
Copy link

olafz commented Sep 14, 2021

Vault dynamic secrets currently uses the older Azure Active Directory Graph API to setup and create dynamic Azure secrets.

Starting, June 30th, 2020, Microsoft stopped development on this API and will no longer add any new features to Azure AD Graph.

Starting June 30th, 2022, Microsoft will end support for Azure AD Graph and will no longer provide technical support or security updates. Apps using Azure AD Graph after this time will no longer receive responses from the Azure AD Graph endpoint.

Has Hashicorp any plans to move dynamic secrets for Azure in Vault to the newer Microsoft Graph API?

For more information about how to update Vault to use Microsoft Authentication Library and Microsoft Graph API see https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363
@olafz
Copy link
Author

olafz commented Nov 18, 2021

Re hashicorp/vault-plugin-secrets-azure#67

@philippbussche
Copy link

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/end-of-support-for-azure-ad-graph-permission-sign-up-through/ba-p/2464404
Setting the required old API permissions through the portal has been end of supported now.
Are you saying @olafz that even though hashicorp/vault-plugin-secrets-azure#67 has been merged this won't help with dynamic secrets aka Service Principal creation ?

@olafz
Copy link
Author

olafz commented Dec 21, 2021

Are you saying @olafz that even though hashicorp/vault-plugin-secrets-azure#67 has been merged this won't help with dynamic secrets aka Service Principal creation ?

No, I referenced the PR on the Azure plugin because I think it solves this issue. In my case: I've successfully migrated to the new Azure authentication to use dynamic secrets.

However, I don't know if there is anything I'm overlooking. If there is nothing more to it, feel free to close this issue.

@philippbussche
Copy link

Nice, I shall test this also then.

I was trying to also emphasize on one other aspect as part of this and this was the API permissions required. The documentation states that you need Application.ReadWrite.All but I think what is also sufficient would be to use the Application.ReadWrite.OwnedBy permission (the Vault SP can then only create and delete its own SPs/applications). Maybe @olafz you have a chance to see if this would also work for you. I had tested this here with the legacy API and it works there.

@hsimon-hashicorp
Copy link
Contributor

This has been implemented, so I'll close this issue now, but please re-open it as needed!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ecosystem enhancement secret/azure
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@olafz @philippbussche @pmmukh @hsimon-hashicorp