secrets/azure: adds permissions note on rotate root and change role assignment (#22024)

2025-10-30 18:17:55 +00:00 · 2023-07-21 14:58:11 -07:00
parent fe013a987a
commit 4811ef9cc3
1 changed files with 7 additions and 3 deletions
--- a/website/content/docs/secrets/azure.mdx
+++ b/website/content/docs/secrets/azure.mdx
@@ -237,6 +237,9 @@ service principals.
 | Application.ReadWrite.OwnedBy | Application |
 | GroupMember.ReadWrite.All     | Application |

+~> **Note**: If you plan to use the [rotate root](/vault/api-docs/secret/azure#rotate-root)
+credentials API, you'll need to change `Application.ReadWrite.OwnedBy` to `Application.ReadWrite.All`.
+
 #### Existing Service Principals

 | Permission Name               | Type        |
@@ -251,8 +254,8 @@ must be granted in order for the secrets engine to manage role assignments for s
 principles it creates.

 | Role                                           | Scope        | Security Principal                          |
-| ----- | ------------ | ------------------------------------------- |
-| Owner | Subscription | Service Principal ID given in configuration |
+|------------------------------------------------| ------------ | ------------------------------------------- |
+| [User Access Administrator][user_access_admin] | Subscription | Service Principal ID given in configuration |

 ## Choosing between dynamic or existing service principals

@@ -320,3 +323,4 @@ for more details.
 [api]: /vault/api-docs/secret/azure
 [config]: /vault/api-docs/secret/azure#configure-access
 [repo]: https://github.com/hashicorp/vault-plugin-secrets-azure
+[user_access_admin]: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator