Azure - credentialsConfig

[itmwiw]

Describe the bug:
I'm trying to add an Azure secret engine with some roles using 'credentialsConfig' to authenticate to Azure.
Here's the YAML section:

...
credentialsConfig:
  env: AZURE_AUTH_LOCATION
  path: /etc/azure/credentials
  secretName: azure-creds
externalConfig:
  secrets:
    - configuration:
        roles:
          - azure_roles: >-
               '[{"role_name": "xxx", "scope":  "/subscriptions/yyy/resourceGroups/zzz"}]'
            name: dns-role
            policies: []
            startupSecrets: []
            ttl: 1h
      description: Azure Secret Backend
      path: azure
      type: azure
...

However it seems the vault-configurer does not use the credentials to configure the secret engine and I get "subscription_id is required" in the logs.

Expected behaviour:
The vault configurer uses the credentials to configure the secret engine.

Steps to reproduce the bug:
Try to configure the Azure secret engine using 'credentialsConfig' to manage the authentication part.

Additional context:
Everything works fine if I configure the secret engine myself without using the 'credentialsConfig' :

...
secretEngines:
  - type: azure
    path: azure
    description: Azure Secret Backend
    configuration:
      config: 
        - subscription_id: "${env `AZURE_SUBSCRIPTION_ID`}"
          tenant_id: "${env `$AZURE_TENANT_ID`}"
          client_id: "${env `$AZURE_CLIENT_ID`}"
          client_secret: "${env `$AZURE_CLIENT_SECRET`}"
      roles:
        - name: dns-role
          ttl: 1h
          azure_roles: '[{"role_name": "xxx", "scope":  "/subscriptions/yyy/resourceGroups/zzz"}]'
...

However, I don't want the secrets to being exposed as environment variables.

Environment details:

• Kubernetes version (e.g. v1.10.2): v1.24.6+5658434
• Cloud-provider/provisioner (e.g. AKS, GKE, EKS, PKE etc): Openshift on Azure
• bank-vaults version (e.g. 0.4.17): 1.17.0
• Install method (e.g. helm or static manifests): Helm

/kind bug

[akijakya]

Hi @itmwiw, thanks for using Bank-Vaults! File-based authentication via credentialsConfig is currently only possible when using Azure's Key Vault to store the Vault unseal keys and root token. For the Azure secrets engine only the second method mentioned by you (with env variables) works as per Vault's own documentation. Although I think it wouldn't be impossible to implement it as a feature within Bank-Vaults if you have time to contribute a solution 🙂

[github-actions]

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

[github-actions]

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.