natilik-mikeguy
commented
2 years ago +1 - would love to see this. Similar and related to the issue I raised https://github.com/hashicorp/vault-plugin-secrets-azure/issues/102. Azure AD permissions and Azure resource permissions are very different things - would be great to see this reflected in the plugin. Subscription permissions are not always necessary!
dejoost
This is not an issue, rather a question. I have configured Azure secrets engine using my PoC instance of Vault and I do love dynamic SPIs generation. I have, however, noticed that SPIs created by this engine lack Microsoft Graph API permissions and I cannot find a way to configure this via Vault's role configuration (to grant certain MS Graph API permissions).
Also, I've noticed in the documentation that dynamic SPI/secrets are good for managing RBAC resources, but if something else is required (i.e. Azure AD?) then a pre-configured SPI should be used.
Our use case: We have a Terraform module which creates resource groups, but simultaneously creates AAD groups and assigns permissions to these groups using newly created resource group as the scope. For this, Terraform must authenticate with Azure using SPI that has MS Graph API permissions to manage AAD groups (in addition to relevant RBAC permissions).
Is my understanding correct, that this is currently not possible with Azure secrets engine for Vault? I say currently as I hope this will be supported in future because in our case this significantly limits the usage of Azure secrets engine. Our InfoSec loves capability of dynamic SPI creation with the ability to revoke leases and audit logs. We'd like to move to Production with the Vault and would love to get this clarified before we have the meeting with your sales team next week to discuss HCP Vault platform.
Please feel free to close this issue and point me in the right direction. Many thanks