azurekeyvault KMS
The Azure Key Vault KMS configures Boundary to use Azure Key Vault for key management. The Azure Key Vault KMS is activated by one of the following:
- The presence of a
seal "azurekeyvault"
block in Boundary's configuration file.
azurekeyvault
example
This example shows configuring Azure Key Vault KMS through the Boundary configuration file by providing all the required values:
azurekeyvault
parameters
These parameters apply to the kms
stanza in the Vault configuration file:
purpose
- Purpose of this KMS, acceptable values are:worker-auth
,worker-auth-storage
,root
,previous-root
,recovery
,bsr
, orconfig
.tenant_id
(string: <required>)
: The tenant id for the Azure Active Directory organization. May also be specified by theAZURE_TENANT_ID
environment variable.client_id
(string: <required or MSI>)
: The client id for credentials to query the Azure APIs. May also be specified by theAZURE_CLIENT_ID
environment variable.client_secret
(string: <required or MSI>)
: The client secret for credentials to query the Azure APIs. May also be specified by theAZURE_CLIENT_SECRET
environment variable.environment
(string: "AZUREPUBLICCLOUD")
: The Azure Cloud environment API endpoints to use. May also be specified by theAZURE_ENVIRONMENT
environment variable.vault_name
(string: <required>)
: The Key Vault vault to use the encryption keys for encryption and decryption. May also be specified by theAZUREKEYVAULT_WRAPPER_VAULT_NAME
environment variable.key_name
(string: <required>)
: The Key Vault key to use for encryption and decryption. May also be specified by theAZUREKEYVAULT_WRAPPER_KEY_NAME
environment variable.
Authentication
Authentication-related values must be provided, either as environment variables or as configuration parameters.
Azure authentication values: