spin
spin copied to clipboard
Add Azure Key Vault config provider
This PR adds Azure Key Vault as config provider to spin
as suggest in #1737
Authentication
Authentication is implemented using ClientCredentialFlow
leveraging clientId
and clientSecret
of an Azure Service Principal (SP).
The SP must have the Key Vault Secrets User
role assigned on the scope of the desired Azure Key Vault instance. Additionally, RBAC must be enabled on the Azure Key Vault instance.
Loading Secret Values
Although Azure Key Vault supports multiple versions per secret, this implementation loads the latest version of a particular secret.
Runtime Configuration File
Once necessary SP and Azure Key Vault have been provisioned and Role Assignment is in place, users must provide a corresponding runtime config file:
[[config_provider]]
type = "azure_key_vault"
url = "https://mysecrets.vault.azure.net/"
client_id = "00000000-0000-0000-0000-000000000000"
client_secret = "SomeSauce"
tenant_id = "00000000-0000-0000-0000-000000000000"