vault_azure_secret_backend_role

Creates an Azure Secret Backend Role for Vault.

The Azure secrets engine dynamically generates Azure service principals and role assignments. Vault roles can be mapped to one or more Azure roles, providing a simple, flexible way to manage the permissions granted to generated service principals.

Example Usage

resource "vault_azure_secret_backend" "azure" {
  subscription_id = var.subscription_id
  tenant_id       = var.tenant_id
  client_secret   = var.client_secret
  client_id       = var.client_id
}

resource "vault_azure_secret_backend_role" "generated_role" {
  backend                     = vault_azure_secret_backend.azure.path
  role                        = "generated_role"
  sign_in_audience            = "AzureADMyOrg"
  tags                        = ["team:engineering","environment:development"]
  ttl                         = 300
  max_ttl                     = 600

  azure_roles {
    role_name = "Reader"
    scope =  "/subscriptions/${var.subscription_id}/resourceGroups/azure-vault-group"
  }
}

resource "vault_azure_secret_backend_role" "existing_object_id" {
  backend               = vault_azure_secret_backend.azure.path
  role                  = "existing_object_id"
  application_object_id = "11111111-2222-3333-4444-44444444444"
  ttl                   = 300
  max_ttl               = 600
}

Argument Reference

The following arguments are supported:

Attributes Reference

No additional attributes are exported by this resource.