Azure secrets engine

DevOpsRob · July 23, 2019, 12:55pm

I am setting up a Proof of Concept for Vault using docker-compose for a client of mine who are heavily invested in Azure. As part of this PoC, I am trying to enable and use dynamic service principals so that they can move to this model of working with their Terraform code but i’m struggling to get it working.

The problem is, after following all the steps in the documentation, i get an “Authorization_RequestDenied” error message.

let me take you through the steps i went through.

First i ran this script (Obviously substituting the values in)


#!/bin/sh
##
export AZURE_SUBSCRIPTION_ID=<subscription-id>
export AZURE_TENANT_ID=<tenant-id>
export AZURE_CLIENT_ID=<client-id>
export AZURE_CLIENT_SECRET=<client-secret>
##
vault secrets enable azure

vault write azure/config \
subscription_id=$AZURE_SUBSCRIPTION_ID \
tenant_id=$AZURE_TENANT_ID \
client_id=$AZURE_CLIENT_ID \
client_secret=$AZURE_CLIENT_SECRET

vault write azure/roles/spike ttl=1h azure_roles=-<<EOF
    [
        {
            "role_name": "Contributor",
            "scope":  "/subscriptions/<subscription-id>"
        }
    ]
EOF

I then ran this command to test

vault read azure/creds/spike

and got the following error message

Error reading azure/creds/spike: Error making API request.

URL: GET http://127.0.0.1:8200/v1/azure/creds/spike
Code: 500. Errors:

* 1 error occurred:
        * graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-07-23T12:17:44","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"0000000-0000-0000-0000-000000000000"}}]

I have substituted out the requestId from the above.

So I changed the role_name from Contributor to Owner

Same result.

So then i created a custom role on azure using this command


az role definition create --role-definition role.json

this is the role definition file it points to


{
    "Name": "Vault-admin",
    "IsCustom": true,
    "Description": "role for vault to create service principals.",
    "Actions": [
        "*"
    ],
    "NotActions": [

    ],
    "AssignableScopes": [
        "/subscriptions/00000000-0000-0000-0000-000000000000"
    ]
}

Again, i have substituted out my actual subscription ID in the above.

I’m still getting the same error message. Please can you lovely folk out there point me in the right direction to help me get this working?

This is the documentation i’ve been following
https://www.vaultproject.io/docs/secrets/azure/index.html#roles

I also came across this guide but seems out of date
https://github.com/hashicorp/vault-guides/tree/master/secrets/azure-secret

Any help will be greatly appreciated.

Thanks folks

yhyakuna · August 13, 2019, 9:26pm

I don’t know if you’ve already figured this out, but I remember having a similar issue when I was working on Terraform. Nothing to do with Azure secrets engine, so not sure if this helps. But in my case, I had to add additional API permissions to the service principal (app) that I was using. In your case, the service principal that you are using to configure the Azure secrets engine (vault write azure/config).

From Azure portal: App registrations > select your app > API permissions > click Add a permission

For what I was working on, I had to have both Azure Active Directory Graph and Microsoft Graph APIs. You might want to try if your service principal does not have either one of those APIs.

Hope this helps.

Contra · August 19, 2019, 1:31pm

This helped me - the portal naturally leads us to set permissions on the “Microsoft Graph API” which resulted in the 403 insufficient permissions when trying to generate dynamic SP’s but when I granted Applications.ReadWrite.All permissions on the API ‘Azure Active Directory’ it works as expected.

Everywhere I looked the permissions were referenced just as AD with no distinction between the two different API’s. I guess the docs were written at a time when only the Azure AD permissions API was prominent, I’ve added a issue to the GitHub to clarify the requirements. Thanks to this ‘Yoko’ to put me on the right direction.

DevOpsRob · August 19, 2019, 1:45pm

Thanks folks - I did figure it out. In the end, it was about assigning the correct role to the service principal. I meant to write it up and post it in here but been struggling to find the time. Appreciate your responses

bincysjames · September 17, 2019, 1:04pm

Thank you for the solution.

do we really need to give API permissions to all 67 mentioned in microsoft graph as it is not allowed in production .I have to give finegraned access by removing unwanted API permissions and make that work.Currently it is working for me with full API permission.

yhyakuna · September 17, 2019, 4:29pm

My service principal had Microsoft Graph API enabled (I use this account for all sorts of testing), but I don’t believe you need it for Azure Secrets Engine.

You need the following Azure Active Directory Graph API, and that should be enough:

bincysjames · September 19, 2019, 6:07am

Thank you.This helped me for the setup.