search

hashicorp / vault-plugin-secrets-azure

Vault Azure Secrets plugin
Mozilla Public License 2.0
26 stars 20 forks source link

debugging eventual consistency issue #170

Closed Zlaticanin closed 6 months ago

Zlaticanin commented 10 months ago

This PR is for debugging the eventual consistency issue and reproduce the error.

This test sends out 100 requests in parallel to create Azure Resource Groups. The test counts how many successful requests were made compared to the failed requests due to providing an invalid secret. This test can be ran with both app & sp credentials.

Azure api-docs & docs

  1. Enable the Azure secrets engine 
    vault secrets enable azure
  2. Configure the secrets engine with account creds (these creds can be found by logging in to Azure portal (1password) and searching for Team Vault subscription. 
    vault write azure/config \
subscription_id=$AZURE_SUBSCRIPTION_ID \
tenant_id=$AZURE_TENANT_ID \
client_id=$AZURE_CLIENT_ID \
client_secret=$AZURE_CLIENT_SECRET
  3. To run this test with an app id, you need to register an application in the Azure portal (if you already don’t have one). App registrations → New registration → Register You will need to add API permissions to your application. You will need:
    • Application.ReadWrite.All
    • GroupMember.ReadWrite.All Make sure to Grant admin consent for Default Directory

Now go to Team Vault Subscription → Access control (IAM) → Add role assignment → Privileged administrator roles → Select Owner → Go to Members → Select Members → Add the application you just registered → Not constrained Delegation type → Review and assign

There are two ways to configure a role. A role may be set up with either an existing service principal, or a set of Azure roles that will be assigned to a dynamically created service principal.

To configure a role with an already existing service principal, user would have to provide an application_object_id:

vault write azure/roles/test-role \
    application_object_id=<existing_app_obj_id> \
    ttl=10h
  1. Alternatively, user can configure the role to dynamically create a new service principal with Azure roles: 
    vault write azure/roles/test-role ttl=10h azure_roles=-<<EOF
[
    {
        "role_name": "Contributor",
        "scope":  "/subscriptions/<uuid>"
    }
]
EOF
raymonstah commented 6 months ago

I think it's safe to close this PR at this point. This was instrumental in getting us the data points we needed to provide to Microsoft, and may be revisited when a fix is implemented.