azurekeyvault KMS

The Azure Key Vault KMS configures Vault to use Azure Key Vault for key management. The Azure Key Vault KMS is activated by one of the following:

  • The presence of a seal "azurekeyvault" block in Boundary’s configuration file.

azurekeyvault Example

This example shows configuring Azure Key Vault KMS through the Boundary configuration file by providing all the required values:

  1. kms "azurekeyvault" {
  2.   purpose        = "root"
  3.   tenant_id      = "46646709-b63e-4747-be42-516edeaf1e14"
  4.   client_id      = "03dc33fc-16d9-4b77-8152-3ec568f8af6e"
  5.   client_secret  = "DUJDS3..."
  6.   vault_name     = "hc-vault"
  7.   key_name       = "vault_key"
  8. }
  1. kms "azurekeyvault" {  purpose        = "root"  tenant_id      = "46646709-b63e-4747-be42-516edeaf1e14"  client_id      = "03dc33fc-16d9-4b77-8152-3ec568f8af6e"  client_secret  = "DUJDS3..."  vault_name     = "hc-vault"  key_name       = "vault_key"}

azurekeyvault Parameters

These parameters apply to the kms stanza in the Vault configuration file:

  • purpose - Purpose of this KMS, acceptable values are: worker-auth, root, recovery, or config.

  • tenant_id (string: <required>): The tenant id for the Azure Active Directory organization. May also be specified by the AZURE_TENANT_ID environment variable.

  • client_id (string: <required or MSI>): The client id for credentials to query the Azure APIs. May also be specified by the AZURE_CLIENT_ID environment variable.

  • client_secret (string: <required or MSI>): The client secret for credentials to query the Azure APIs. May also be specified by the AZURE_CLIENT_SECRET environment variable.

  • environment (string: "AZUREPUBLICCLOUD"): The Azure Cloud environment API endpoints to use. May also be specified by the AZURE_ENVIRONMENT environment variable.

  • vault_name (string: <required>): The Key Vault vault to use the encryption keys for encryption and decryption. May also be specified by the AZUREKEYVAULT_WRAPPER_VAULT_NAME environment variable.

  • key_name (string: <required>): The Key Vault key to use for encryption and decryption. May also be specified by the AZUREKEYVAULT_WRAPPER_KEY_NAME environment variable.

Authentication

Authentication-related values must be provided, either as environment variables or as configuration parameters.

Azure authentication values: