www.hashicorp.com
Open in
urlscan Pro
76.76.21.241
Public Scan
URL:
https://www.hashicorp.com/blog/integrating-azure-ad-identity-hashicorp-vault-part-1-application-auth-oidc
Submission: On November 18 via manual from US — Scanned from DE
Submission: On November 18 via manual from US — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="g-newsletter-signup-form" data-allow-horizontal-layout="true" data-submitting="false" data-submitted="false">
<div class="submitted-msg" data-success="false"></div>
<div class="form-elements">
<div class="inputs">
<div class="style_root__X5n2V g-text-input"><input id=":r0:" type="email" class="style_input__dbw4S" placeholder="Business Email address" aria-label="email" name="email" value=""></div>
<div class="style_root__Kgiw6 g-checkbox-input">
<div class="style_wrapper__Qh47o"><span class="style_checkbox__r6lJZ"><input id=":r1:" type="checkbox" name="privacyPolicy" value="false"></span><label for=":r1:" class="style_label__6s7w1 g-type-body-small"><span>I agree to HashiCorp’s
<a href="https://www.hashicorp.com/privacy" target="_blank" rel="noopener noreferrer">Privacy Policy</a>.*</span></label></div>
</div>
</div><button class="style_root__ABjny style_size-medium__Mtp22 theme_variant-primary__L02E4 theme_background-light__d2uoe g-btn" data-ga-button="sign-up" type="submit"><span class="style_text__pNYCe g-type-buttons-and-standalone-links">Sign
Up</span></button>
</div>
</form><form class="g-newsletter-signup-form" data-allow-horizontal-layout="true" data-submitting="false" data-submitted="false">
<div class="submitted-msg" data-success="false" data-theme-bg="dark"></div>
<div class="form-elements">
<div class="inputs">
<div class="style_root__X5n2V g-text-input style_theme-dark__0EP03"><input id=":r2:" type="email" class="style_input__dbw4S" placeholder="Business Email address" aria-label="email" name="email" value=""></div>
<div class="style_root__Kgiw6 style_background-dark__EvuDc g-checkbox-input">
<div class="style_wrapper__Qh47o"><span class="style_checkbox__r6lJZ"><input id=":r3:" type="checkbox" name="privacyPolicy" value="false"></span><label for=":r3:" class="style_label__6s7w1 g-type-body-small"><span>I agree to HashiCorp’s
<a href="https://www.hashicorp.com/privacy" target="_blank" rel="noopener noreferrer">Privacy Policy</a>.*</span></label></div>
</div>
</div><button class="style_root__ABjny style_size-medium__Mtp22 theme_variant-primary__L02E4 theme_background-dark__uxjuL g-btn" data-ga-button="subscribe-to-newsletter" type="submit"><span
class="style_text__pNYCe g-type-buttons-and-standalone-links">Subscribe to Newsletter</span></button>
</div>
</form>Text Content
* Why HashiCorp
* Products
Products
Infrastructure
*
Terraform
*
Packer
Networking
*
Consul
Security
*
Vault
*
Boundary
Applications
*
Nomad
*
Waypoint
*
Vagrant
HashiCorp Cloud Platform
A fully managed platform to automate infrastructure on any cloud with
HashiCorp products.
*
Terraform Cloud
*
Vault
*
Consul
*
Packer
*
Boundary
*
WaypointBeta
Visit cloud.hashicorp.com
Claim a $50 credit for HCP Vault or HCP Consul
* Solutions
Solutions
Our approach
CLOUD OPERATING MODEL
OUR CUSTOMERS
--------------------------------------------------------------------------------
Infrastructure
* Infrastructure provisioning
* Network infrastructure automation
* Cost optimization
* Cloud migration
* Kubernetes at scale
Security
* Zero trust security
* Credential rotation
Applications
* Application delivery
* Application networking
View all solutions
--------------------------------------------------------------------------------
Industries
* Financial services
* Healthcare
* Telecom
* Media and entertainment
* Public sector
View all industries
* Company
Company
Company
* About us
* Careers
* Our principles
* Tao of HashiCorp
* Blog
* Press
* Investors
* Contact us
We're hiring
Events
* HashiConf
* Webinars
* Workshops
* View all events
HashiCorp shares have begun trading on the Nasdaq
Discover our latest Webinars and Workshops
* Partners
* Events
* Resources
Resources
Resources
* Blog
* Case Studies
* Webinars
* Whitepapers
Resource Library
* Certifications
* Community
* Forum
* Demos
* Training
* Tutorials
Docs
* Terraform
* Vault
* Consul
* Nomad
* Vagrant
* Packer
* Boundary
* Waypoint
* Sentinel
Explore a brand new developer experience. Everything you need, all in one
place.
* Success & Support
Success & Support
Customer Success
* Overview
* Professional Services
* HashiCorp Enterprise Academy
Support Portal
Support
* Submit a request
* Enterprise Support Plan
* System Status
* Services and policies
Unlocking the Cloud Operating Model: Thrive in an era of multi-cloud
architecture
* Contact sales
Blog
* Home
* Products & Technology
* Company
* HashiCorp Voices
* All
Products & Technology
* Twitter share
* LinkedIn share
* Facebook share
* Copy URL
INTEGRATING AZURE AD IDENTITY WITH HASHICORP VAULT — PART 1: AZURE APPLICATION
AUTH VIA OIDC
Learn how to achieve user authentication to HashiCorp Vault with OIDC using
Microsoft Azure AD as a central identity provider.
Jan 04 2022Rob Barnes
When applying a zero trust security mindset to applications and infrastructure,
identity is the foundational component that the zero trust pillars are built on.
Centrally managing secrets and identity are fundamental to the success of zero
trust because managing secrets in multiple places with IP addresses quickly
becomes cumbersome and error-prone. A single source of truth means a single
control plane can be used to verify everything.
Using HashiCorp Vault's many secrets engines, short-lived credentials can be
provisioned for most application and infrastructure components. As Vault manages
and issues credentials, it brokers identity for almost everything from databases
and message queues to public cloud platforms, including Microsoft Azure. Vault
manages the entire lifecycle of the credential, acting as the centralized
identity broker for these third-party platforms.
However, users and applications will still need to authenticate with Vault
before they can request platform credentials. This first authentication is often
called “secret zero”. Securely introducing secret zero to applications is one of
the biggest challenges facing developers. There needs to be a way of providing
this to the application without leaking it. This blog post will show you how
Azure users with existing Azure Active Directory setups can configure an Azure
application to facilitate authentication with Vault using OIDC. Part 2 of this
series explains how to configure HashiCorp Vault’s OIDC auth method to use Azure
as an identity provider. The third and final installment will demonstrate how
Azure workloads can use their cloud-native identities to authenticate with
Vault.
»AZURE AD AS AN IDENTITY PROVIDER
While user and application identity can be provisioned and managed in Vault,
many organizations operating in Azure will already have this in place using
Azure Active Directory (AAD). With this context we can think of AAD as the
identity provider (IdP).
Vault has the concept of auth methods, which is a plugin-based component
allowing organizations to bring their own IdP to Vault.
The common way to achieve this for users is using OpenID Connect (OIDC), which
allows clients to verify the identity of the end-user based on the
authentication performed by an authorization server. In this case, once a user
has authenticated to AAD, AAD will act as the authorization server. AAD will
sign a JSON web token (JWT) and pass this JWT to Vault to authenticate there.
This is made possible thanks to the JWT/OIDC auth method in Vault.
For virtual machines (VMs) and Azure-based applications, it works similarly
using JWT under the hood. Identities provisioned by Azure, whether
system-assigned or user-assigned, can use their JWTs signed by Azure to
authenticate with Vault. These identities are attached to workloads in Azure.
These workloads can then authenticate with Vault using the Azure auth method.
»AZURE AD APPLICATION FOR OIDC
In order to configure Vault's OIDC auth method to use AAD as an OIDC provider,
Vault needs to be registered as an application in AAD. This application identity
is what Vault will use to authenticate with Azure to verify the signed JWTs and
read any group claims within the token.
The application can be registered in the Azure portal or by using the Azure CLI.
This registered application does not require any Microsoft Graph API permissions
to work with Vault’s OIDC auth method.
To ease the process of registering the application in AAD, I have built a
Terraform module that registers the application in AAD with the correct
configuration. The module will also create a client_secret that Vault can use in
combination with the client_id to authenticate with Azure.
This module was built using the recently released Terraform AzureAD provider
2.0.
provider "azuread" {}
module "application" {
source = "devops-rob/app-vault/azuread"
version = "0.1.0"
}
output "display_name" {
value = module.application.application_name
}
output "password" {
value = module.application.client_secret
sensitive = true
}
provider "azuread" {}
module "application" {
source = "devops-rob/app-vault/azuread"
version = "0.1.0"
}
output "display_name" {
value = module.application.application_name
}
output "password" {
value = module.application.client_secret
sensitive = true
}
For more information about how this workflow operates under the hood and some of
the code behind the Terraform modules, check out The DevOps Lab where I met with
Cloud Advocate, April Edwards from Microsoft for a deep dive on this topic.
»SUMMARY
In this blog post, I illustrated how user and machine authentication can be
achieved using AAD as a central IdP. I also explored how to use AAD to enable
users and applications to authenticate with Vault using OIDC. Finally I looked
at how to provision an application in AAD for Vault use as the first step of
implementing OIDC authentication.
In part 2 of this blog series, I address how to configure Vault to use Azure as
an OIDC provider.
--------------------------------------------------------------------------------
Azure
SIGN UP FOR THE LATEST HASHICORP NEWS
I agree to HashiCorp’s Privacy Policy.*
Sign Up
MORE BLOG POSTS LIKE THIS ONE
November 15 2022 | Company
HASHICORP AT AWS RE:INVENT: EXAMINING THE STATE OF YOUR CLOUD OPERATING MODEL
Accelerate your adoption of a cloud operating model. Visit us at AWS re:Invent
in Las Vegas, Nov. 28 - Dec. 2 for breakout sessions, expert talks, and product
demos.
November 01 2022 | Products & Technology
HOW TELCOS CAN ADD MUTUAL TLS TO 5G PACKET CORE WITH HASHICORP VAULT
As next-generation 5G begins to take shape, learn about a suite of
comprehensive, identity-based security solutions for microservice environments.
October 26 2022 | Products & Technology
THE STATE OF VAULT AND KUBERNETES, AND FUTURE PLANS
Get an overview of the most common ways to use HashiCorp Vault and Kubernetes
together, and get a preview of a new method we're considering.
I agree to HashiCorp’s Privacy Policy.*
Subscribe to Newsletter
*
*
*
*
*
*
* Infrastructure
Terraform
Packer
* Networking
Consul
* Security
Vault
Boundary
* Applications
Nomad
Waypoint
Vagrant
Resources
* Blog
* Tutorials
* Community
* Events
* Integrations
* Library
* Partners
* Podcast
* Support
* Training
Company
* About Us
* CareersWe're Hiring
* Press Center
* Investors
* Brand
* Contact Us
* System Status
* Cookie Manager
* Terms of Use
* Security
* Privacy
* Trademark Policy
* Trade Controls
stdin: is not a tty
We use cookies & other similar technology to collect data to improve your
experience on our site, as described in our Privacy Policy and Cookie Policy.
Manage PreferencesAccept