vault_azure_access_credentials

Reads Azure credentials from an Azure secret backend in Vault.

Description

The Azure Active Directory data source exists to easily pull short-lived credentials from Vault for use in Terraform. By default, it returns a dynamically generated client_id and client_secret without testing whether they've fully propagated for use in Azure Active Directory. However, by activating validate_creds, credentials will be tested before being returned. This will, however, increase the time it takes for the credentials to be returned, blocking Terraform's execution until they are ready.

If validate_creds is used, by default, credentials will be validated by making a test call to Azure every 1 seconds. When we have received 8 successes in a row, the credentials will be returned. We have seen propagation times take up to 15 minutes, so the maximum length of time for the check defaults to 20 minutes. However, propagation times will vary widely based on each company's Azure usage, so all these settings are configurable.

Credentials are tested by attempting to refresh a client token with them.

Example Usage

data "vault_azure_access_credentials" "creds" {
  role                        = "my-role"
  validate_creds              = true
  num_sequential_successes    = 8
  num_seconds_between_tests   = 1
  max_cred_validation_seconds = 300 
}

provider "azure" {
  client_id     = data.vault_azure_access_credentials.creds.client_id
  client_secret = data.vault_azure_access_credentials.creds.client_secret
}

Caveats

The validate_creds option requires read-access to the backend config endpoint. If the effective Vault role does not have the required permissions then valid values are required to be set for: subscription_id, tenant_id, environment.

Argument Reference

The following arguments are supported:

Attributes Reference

In addition to the arguments above, the following attributes are exported: