I am attempting to configure an Azure secrets engine to issue dynamic credentials that will allow some TF code to CRUD Azure AD groups.
I want to create a Vault role that will issue credentials that are part of the Azure AD “Groups administrator” role.
Having read through the engine docs and the engine API docs, I couldn’t find anything that really deals with Azure AD roles. Azure roles and Azure AD groups ARE documented.
I can see two paths forward to achieving my aim here.
- Create a new Azure AD group which has the
Groups administratorrole assigned to it. - Create a static SP which has the
Groups administratorrole assigned to it.
So, looking for some confirmation and advice that ive understood this correctly.
- The Azure engine doesnt appear to support Azure role assignments to dynamic credentials. Is this correct?
- If this IS correct, ill raise an issue in the Vault GH asking for the doco to be clarified about this because its not abundantly clear.
- Of my two paths forward, is there one that is more sensible than the other? This is a request for opinions so please do feel free to elaborate on the WHY you feel this way.