scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 18:17:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update Azure secrets docs + deprecation (#25637)

Browse Source 
* Update Azure secrets docs + deprecation

* add changelog

* update

* update docs

* update deprec doc
This commit is contained in:
Milena Zlaticanin
2024-02-28 11:59:00 -07:00
committed by GitHub
parent 9da2868d4b
commit 3a844a2e45
3 changed files with 24 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/25637.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:deprecation
secrets/azure: Deprecate field "password_policy" as we are not able to set it anymore with the new MS Graph API.
```

4
website/content/api-docs/secret/azure.mdx
View File

@@ -34,8 +34,6 @@ service principals. Environment variables will override any parameters set in th
provided with the AZURE_CLIENT_SECRET environment variable. See [authentication](/vault/docs/secrets/azure#authentication) for more details. provided with the AZURE_CLIENT_SECRET environment variable. See [authentication](/vault/docs/secrets/azure#authentication) for more details.
- `environment` (`string:""`) - The Azure environment. This value can also be provided with the AZURE_ENVIRONMENT - `environment` (`string:""`) - The Azure environment. This value can also be provided with the AZURE_ENVIRONMENT
environment variable. If not specified, Vault will use Azure Public Cloud. environment variable. If not specified, Vault will use Azure Public Cloud.
- `password_policy` `(string: "")` - Specifies a [password policy](/vault/docs/concepts/password-policies) to
use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.
- `root_password_ttl` `(string: 182d)` - Specifies how long the root password is valid for in Azure when - `root_password_ttl` `(string: 182d)` - Specifies how long the root password is valid for in Azure when
rotate-root generates a new client secret. Uses [duration format strings](/vault/docs/concepts/duration-format). rotate-root generates a new client secret. Uses [duration format strings](/vault/docs/concepts/duration-format).
@@ -48,7 +46,6 @@ service principals. Environment variables will override any parameters set in th
"client_id": "e607c4...", "client_id": "e607c4...",
"client_secret": "9a6346...", "client_secret": "9a6346...",
"environment": "AzureGermanCloud", "environment": "AzureGermanCloud",
"password_policy": "azure_policy",
"root_password_ttl": "48d" "root_password_ttl": "48d"
} }
``` ```
@@ -76,7 +73,6 @@ $ vault write azure/config \
client_id="e607c4...", client_id="e607c4...",
client_secret="9a6346...", client_secret="9a6346...",
environment="AzureGermanCloud", environment="AzureGermanCloud",
password_policy="azure_policy"
``` ```
</Tab> </Tab>

4
website/content/docs/deprecation/index.mdx
View File

@@ -19,7 +19,7 @@ This announcement page is maintained and updated periodically to communicate imp
~> **Note**: All specified targeted version announcements for End of Support and Feature Removal may be subject to change. ~> **Note**: All specified targeted version announcements for End of Support and Feature Removal may be subject to change.
| Feature | Deprecation announcement | End of Support | Feature Removal | Migration Path/Impact | Resources | | Feature | Deprecation announcement | End of Support | Feature Removal | Migration Path/Impact | Resources |
| ------------------------------------------------- | ------------------------ | -------------- | --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |-------------------------------------------------------------|--------------------------|----------------|-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Active Directory Secrets Engine | 1.13 | v1.18 | v1.19 | Use the [LDAP Secrets Engine](/vault/docs/secrets/ldap) with the `ad` [schema](/vault/api-docs/secret/ldap#schema) | [Migration Guide](/vault/docs/secrets/ad/migration-guide) | | Active Directory Secrets Engine | 1.13 | v1.18 | v1.19 | Use the [LDAP Secrets Engine](/vault/docs/secrets/ldap) with the `ad` [schema](/vault/api-docs/secret/ldap#schema) | [Migration Guide](/vault/docs/secrets/ad/migration-guide) |
| Vault Enterprise storage backend | N/A | v1.12 | N/A | Use [Integrated Storage](/vault/docs/configuration/storage/raft) or [Consul](/vault/docs/configuration/storage/consul) as your Vault's storage backend. Vault Enterprise will no longer start up if configured to use a storage backend other than Integrated Storage or Consul. | [Upgrade Guide](/vault/docs/upgrading/upgrade-to-1.12.x) | | Vault Enterprise storage backend | N/A | v1.12 | N/A | Use [Integrated Storage](/vault/docs/configuration/storage/raft) or [Consul](/vault/docs/configuration/storage/consul) as your Vault's storage backend. Vault Enterprise will no longer start up if configured to use a storage backend other than Integrated Storage or Consul. | [Upgrade Guide](/vault/docs/upgrading/upgrade-to-1.12.x) |
| Vault generation of Dynamic SSH Keys | v0.7.1 | N/A | v1.13 | Use the alternative [signed SSH certificates](/vault/docs/secrets/ssh/signed-ssh-certificates) feature which supports key pair generation as of Vault 1.12. SSH certificates do not require an external connection from Vault to provision the key/certificate and more secure than having Vault provision dynamic SSH keys. | [SSH Certificates](/vault/docs/secrets/ssh/signed-ssh-certificates) | | Vault generation of Dynamic SSH Keys | v0.7.1 | N/A | v1.13 | Use the alternative [signed SSH certificates](/vault/docs/secrets/ssh/signed-ssh-certificates) feature which supports key pair generation as of Vault 1.12. SSH certificates do not require an external connection from Vault to provision the key/certificate and more secure than having Vault provision dynamic SSH keys. | [SSH Certificates](/vault/docs/secrets/ssh/signed-ssh-certificates) |
@@ -37,6 +37,8 @@ This announcement page is maintained and updated periodically to communicate imp
| Vault Agent API proxy support | v1.14 | v1.16 | v1.17 | Migrate to [Vault Proxy](/vault/docs/proxy/index) by v1.17 | | Vault Agent API proxy support | v1.14 | v1.16 | v1.17 | Migrate to [Vault Proxy](/vault/docs/proxy/index) by v1.17 |
| Centrify Auth Method | v1.15 | v1.17 | v1.17 | Use as an external plugin, but support will not be available. | | | Centrify Auth Method | v1.15 | v1.17 | v1.17 | Use as an external plugin, but support will not be available. | |
| AWS secrets engine field change | v1.16 | N/A | N/A | The `security_token` field returned for AssumeRole and FederationToken credentials is deprecated in favor of the current term `session_token`. | [AWS secrets engine API documentation](/vault/api-docs/secret/aws) | | AWS secrets engine field change | v1.16 | N/A | N/A | The `security_token` field returned for AssumeRole and FederationToken credentials is deprecated in favor of the current term `session_token`. | [AWS secrets engine API documentation](/vault/api-docs/secret/aws) |
| Azure secrets password policy | N/A | v1.16 | N/A | The `password_policy` field is deprecated because MS Graph API doesn't let you provide a password, instead returns one to the client, making `password_policy` field unusable. | [MS GRAPH APP API](https://learn.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http) [MS GRAPH SP API](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0&tabs=http) |
*If you use **Standalone DB Engines** or **AppID (Community)**, you should actively plan to migrate away from their usage. If you use these features and upgrade to Release 1.12, Vault will log error messages and shut down, and any attempts to add new mounts will result in an error. *If you use **Standalone DB Engines** or **AppID (Community)**, you should actively plan to migrate away from their usage. If you use these features and upgrade to Release 1.12, Vault will log error messages and shut down, and any attempts to add new mounts will result in an error.
This behavior may temporarily be overridden when starting the Vault server by using the `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` environment variable until they are officially removed in Vault version 1.13. This behavior may temporarily be overridden when starting the Vault server by using the `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` environment variable until they are officially removed in Vault version 1.13.