search

hashicorp / vault-plugin-secrets-azure

Vault Azure Secrets plugin
Mozilla Public License 2.0
26 stars 19 forks source link

How do we tell if a secrets engine is configured to use the Graph API? #78

Closed ausfestivus closed 2 years ago

ausfestivus commented 2 years ago

Morning,

I've enabled an Azure Secrets Engine and configured it to use the MS Graph API.

vault secrets enable -path=${AZ_SECRET_PATH} azure
vault write ${AZ_SECRET_PATH}/config \
     subscription_id=${ARM_SUBSCRIPTION_ID} \
     tenant_id=${ARM_TENANT_ID} \
     client_id=${ARM_CLIENT_ID} \
     client_secret=${ARM_CLIENT_SECRET} \
         use_microsoft_graph_api=true

How can I validate that it IS using the Graph API though?

If I do vault read ${AZ_SECRET_PATH}/config though, it doesnt describe this in the output.

vault read ${AZ_SECRET_PATH}/config                                                                                                                   
Key                Value
---                -----
client_id          XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
environment        n/a
subscription_id    XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
tenant_id          XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

What's the best way to validate that it is behaving as it should?

ausfestivus commented 2 years ago

Found the answer to this question. It's displayed when you show the engine's config.

vault read ${AZ_SECRET_PATH}/config                                                                                                                   
Key                Value
---                -----
client_id          XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
environment        n/a
subscription_id    XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
tenant_id          XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
use_microsoft_graph_api    true