» vault_azure_access_credentials

Reads Azure credentials from an Azure secret backend in Vault.

» Description

The Azure Active Directory data source exists to easily pull short-lived credentials from Vault for use in Terraform. By default, it returns a dynamically generated client_id and client_secret without testing whether they've fully propagated for use in Azure Active Directory. However, by activating validate_creds, credentials will be tested before being returned. This will, however, increase the time it takes for the credentials to be returned, blocking Terraform's execution until they are ready.

If validate_creds is used, by default, credentials will be validated by making a test call to Azure every 7 seconds. When we have received 8 successes in a row, the credentials will be returned. We have seen propagation times take up to 15 minutes, so the maximum length of time for the check defaults to 20 minutes. However, propagation times will vary widely based on each company's Azure usage, so all these settings are configurable.

Credentials are tested by attempting to refresh a client token with them.

» Example Usage

data "vault_azure_access_credentials" "creds" {
  role    = "my-role"
  validate_creds = true
  num_sequential_successes = 8
  num_seconds_between_tests = 7
  max_cred_validation_seconds = 1200 // 20 minutes

provider "azure" {
  client_id = "${data.vault_azure_access_credentials.creds.client_id}"
  client_secret = "${data.vault_azure_access_credentials.creds.client_secret}"

» Argument Reference

The following arguments are supported:

  • backend - (Required) The path to the Azure secret backend to read credentials from, with no leading or trailing /s.

  • role - (Required) The name of the Azure secret backend role to read credentials from, with no leading or trailing /s.

  • validate_creds - (Optional) Whether generated credentials should be validated before being returned. Defaults to false, which returns credentials without checking whether they have fully propagated throughout Azure Active Directory. Designating true activates testing.

  • num_sequential_successes - (Optional) If 'validate_creds' is true, the number of sequential successes required to validate generated credentials. Defaults to 8.

  • num_seconds_between_tests - (Optional) If 'validate_creds' is true, the number of seconds to wait between each test of generated credentials. Defaults to 7.

  • max_cred_validation_seconds - (Optional) If 'validate_creds' is true, the number of seconds after which to give up validating credentials. Defaults to 1,200 (20 minutes).

» Attributes Reference

In addition to the arguments above, the following attributes are exported:

  • client_id - The client id for credentials to query the Azure APIs.

  • client_secret - The client secret for credentials to query the Azure APIs.

  • lease_id - The lease identifier assigned by Vault.

  • lease_duration - The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.

  • lease_start_time - As a convenience, this records the current time on the computer where Terraform is running when the data is requested. This can be used to approximate the absolute time represented by lease_duration, though users must allow for any clock drift and response latency relative to the Vault server.

  • lease_renewable - true if the lease can be renewed using Vault's sys/renew/{lease-id} endpoint. Terraform does not currently support lease renewal, and so it will request a new lease each time this data source is refreshed.