From a718535e5d53cc656adea6a68a570d184196edff Mon Sep 17 00:00:00 2001 From: Jaired Jawed Date: Sun, 8 Jun 2025 12:33:40 -0700 Subject: [PATCH] update docs to state that either bound_service_principal_ids or bound_group_ids parameters are required --- website/content/api-docs/auth/azure.mdx | 9 ++++++--- website/content/docs/auth/azure.mdx | 19 ++++++++++++++----- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/website/content/api-docs/auth/azure.mdx b/website/content/api-docs/auth/azure.mdx index 4c090a857e6..9c28c6f5e3b 100644 --- a/website/content/api-docs/auth/azure.mdx +++ b/website/content/api-docs/auth/azure.mdx @@ -164,9 +164,9 @@ entities attempting to login. - `name` `(string: )` - Name of the role. - `bound_service_principal_ids` `(array: [])` - The list of Service Principal IDs - that login is restricted to. + that login is restricted to. Either this parameter or `bound_group_ids` must be set. - `bound_group_ids` `(array: [])` - The list of group ids that login is restricted - to. + to. Either this parameter or `bound_service_principal_ids` must be set. - `bound_locations` `(array: [])` - The list of locations that login is restricted to. - `bound_subscription_ids` `(array: [])` - The list of subscription IDs that login is restricted to. @@ -177,6 +177,8 @@ entities attempting to login. @include 'tokenfields.mdx' +~> **Note:** When creating a role, you must specify either `bound_service_principal_ids` or `bound_group_ids`. These parameters are mutually exclusive - you cannot set both, but you must set one of them. + ### Sample payload ```json @@ -184,7 +186,8 @@ entities attempting to login. "token_policies": ["default", "dev", "prod"], "max_ttl": 1800000, "max_jwt_exp": 10000, - "bound_resource_groups": ["vault-dev", "vault-staging", "vault-prod"] + "bound_resource_groups": ["vault-dev", "vault-staging", "vault-prod"], + "bound_service_principal_ids": ["3cb88732-1356-4782-b671-4877166be01a"] } ``` diff --git a/website/content/docs/auth/azure.mdx b/website/content/docs/auth/azure.mdx index 8476a72914f..f2956a18252 100644 --- a/website/content/docs/auth/azure.mdx +++ b/website/content/docs/auth/azure.mdx @@ -105,10 +105,7 @@ $ vault write auth/azure/login \ vm_name="test-vm" ``` -The `role` and `jwt` parameters are required. When using -`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the -information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When -using other `bound_*` parameters, calls to Azure APIs will be made and +The `role` and `jwt` parameters are required. The JWT must contain all role binding information (except for `vm_name`, `vmss_name`, and `resource_id`). When using additional `bound_*` parameters beyond `bound_service_principal_ids` or `bound_group_ids`, Azure API calls will be made and `subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required and can be obtained through instance metadata. @@ -216,7 +213,8 @@ tool. $ vault write auth/azure/role/dev-role \ policies="prod,dev" \ bound_subscription_ids=6a1d5988-5917-4221-b224-904cd7e24a25 \ - bound_resource_groups=vault + bound_resource_groups=vault \ + bound_service_principal_ids=3cb88732-1356-4782-b671-4877166be01a ``` Roles are associated with an authentication type/entity and a set of Vault @@ -224,6 +222,17 @@ tool. authentication type, as well as overall constraints and configuration for the generated auth tokens. + Note: Each role must specify either `bound_service_principal_ids` or `bound_group_ids` to restrict which Azure identities (service principals or group members) can authenticate to this role. + Here's an alternative example using `bound_group_ids`: + + ```shell-session + $ vault write auth/azure/role/prod-role \ + policies="prod" \ + bound_subscription_ids=6a1d5988-5917-4221-b224-904cd7e24a25 \ + bound_resource_groups=vault \ + bound_group_ids=12345678-1234-1234-1234-123456789012 + ``` + For the complete list of role options, please see the [API documentation](/vault/api-docs/auth/azure). ### Via the API