diff --git a/changelog/12934.txt b/changelog/12934.txt new file mode 100644 index 0000000000000..fbc6aa50b3ea3 --- /dev/null +++ b/changelog/12934.txt @@ -0,0 +1,3 @@ +```release-note:bug +secrets/keymgmt (enterprise): Fix support for Azure Managed HSM Key Vault instances. +``` diff --git a/go.mod b/go.mod index c6948eba894ef..3326b2f980842 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( github.com/hashicorp/go-discover v0.0.0-20210818145131-c573d69da192 github.com/hashicorp/go-gcp-common v0.7.0 github.com/hashicorp/go-hclog v1.0.0 - github.com/hashicorp/go-kms-wrapping v0.6.7 + github.com/hashicorp/go-kms-wrapping v0.6.8 github.com/hashicorp/go-memdb v1.3.2 github.com/hashicorp/go-multierror v1.1.1 github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a @@ -172,7 +172,7 @@ require ( golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 golang.org/x/net v0.0.0-20211020060615-d418f374d309 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d - golang.org/x/sys v0.0.0-20211025112917-711f33c9992c + golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d golang.org/x/tools v0.1.5 google.golang.org/api v0.29.0 diff --git a/go.sum b/go.sum index 274bf27fe5b48..3964cf58163b3 100644 --- a/go.sum +++ b/go.sum @@ -654,8 +654,8 @@ github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjh github.com/hashicorp/go-immutable-radix v1.3.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= -github.com/hashicorp/go-kms-wrapping v0.6.7 h1:JiEd/3l71icodhvkqwrd1G/nPay9jyupzkOVxG+P2fc= -github.com/hashicorp/go-kms-wrapping v0.6.7/go.mod h1:rmGmNzO/DIBzUyisFjeocXvazOlxgO5K8vsFQkUn7Hk= +github.com/hashicorp/go-kms-wrapping v0.6.8 h1:Tu4X6xRFyV3i9SSthYVGnyNaof3VTxVo2tBQ7bdHiwE= +github.com/hashicorp/go-kms-wrapping v0.6.8/go.mod h1:rmGmNzO/DIBzUyisFjeocXvazOlxgO5K8vsFQkUn7Hk= github.com/hashicorp/go-kms-wrapping/entropy v0.1.0 h1:xuTi5ZwjimfpvpL09jDE71smCBRpnF5xfo871BSX4gs= github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g= github.com/hashicorp/go-memdb v1.3.2 h1:RBKHOsnSszpU6vxq80LzC2BaQjuuvoyaQbkLTf7V7g8= @@ -1576,8 +1576,9 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211025112917-711f33c9992c h1:i4MLwL3EbCgobekQtkVW94UBSPLMadfEGtKq+CAFsEU= golang.org/x/sys v0.0.0-20211025112917-711f33c9992c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359 h1:2B5p2L5IfGiD7+b9BOoRMC6DgObAVZV+Fsp050NqXik= +golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE= @@ -1770,6 +1771,7 @@ google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+Rur google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/website/content/docs/configuration/seal/azurekeyvault.mdx b/website/content/docs/configuration/seal/azurekeyvault.mdx index 13f1279679c02..b75d65aec7ae0 100644 --- a/website/content/docs/configuration/seal/azurekeyvault.mdx +++ b/website/content/docs/configuration/seal/azurekeyvault.mdx @@ -57,6 +57,10 @@ These parameters apply to the `seal` stanza in the Vault configuration file: - `key_name` `(string: )`: The Key Vault key to use for encryption and decryption. May also be specified by the `VAULT_AZUREKEYVAULT_KEY_NAME` environment variable. +- `resource` `(string: "vault.azure.net")`: The AZ KeyVault resource's DNS Suffix to connect to. + May also be specified in the `AZURE_AD_RESOURCE` environment variable. + Needs to be changed to connect to Azure's Managed HSM KeyVault instance type. + ## Authentication Authentication-related values must be provided, either as environment @@ -68,6 +72,7 @@ Azure authentication values: - `AZURE_CLIENT_ID` - `AZURE_CLIENT_SECRET` - `AZURE_ENVIRONMENT` +- `AZURE_AD_RESOURCE` ~> **Note:** If Vault is hosted on Azure, Vault can use Managed Service Identities (MSI) to access Azure instead of an environment and shared client id @@ -79,6 +84,10 @@ prevents your Azure credentials from being stored as clear text. Refer to the Hardening](https://learn.hashicorp.com/vault/day-one/production-hardening) guide for more best practices. +-> **Note:** If you are using a Managed HSM KeyVault, `AZURE_AD_RESOURCE` or the `resource` +configuration parameter must be specified; usually this should point to `managedhsm.azure.net`, +but could point to other suffixes depending on Azure environment. + ## `azurekeyvault` Environment Variables Alternatively, the Azure Key Vault seal can be activated by providing the following