spin icon indicating copy to clipboard operation
spin copied to clipboard

Published 20 hours ago verified publisher icon fermyon

Add Azure Key Vault config provider

Open ThorstenHans opened this issue 9 months ago • 1 comments

This PR adds Azure Key Vault as config provider to spin as suggest in #1737

Authentication

Authentication is implemented using ClientCredentialFlow leveraging clientId and clientSecret of an Azure Service Principal (SP).

The SP must have the Key Vault Secrets User role assigned on the scope of the desired Azure Key Vault instance. Additionally, RBAC must be enabled on the Azure Key Vault instance.

Loading Secret Values

Although Azure Key Vault supports multiple versions per secret, this implementation loads the latest version of a particular secret.

Runtime Configuration File

Once necessary SP and Azure Key Vault have been provisioned and Role Assignment is in place, users must provide a corresponding runtime config file:

[[config_provider]]
type = "azure_key_vault"
url = "https://mysecrets.vault.azure.net/"
client_id = "00000000-0000-0000-0000-000000000000"
client_secret = "SomeSauce"
tenant_id = "00000000-0000-0000-0000-000000000000"

ThorstenHans avatar Sep 22 '23 22:09 ThorstenHans