hashicorp · yhyakuna · Nov 12, 2024 · Nov 13, 2024 · Nov 14, 2024 · Nov 14, 2024
@@ -0,0 +1,61 @@
+---
+layout: docs
+page_title: Azure Key Vault - Key Management - Secrets Engines
+description: Key management secrets engine supports lifecycle management of keys in Azure Key Vault instances.
+---
+
+# Azure Key Vault
+
+The key management secrets engine supports lifecycle management of keys in named
+[Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/) instances.
+This is accomplished by configuring a KMS provider resource with the `azurekeyvault`
+provider and other provider-specific parameter values.
+
+The following sections describe how to properly configure the secrets engine to enable
+the functionality.
+
+Refer to the [setup guide](/vault/docs/secrets/key-management/azurekeyvault/setup) for CLI command examples.
+
+## Authentication
+
+You need to configure the key management secrets engine with credentials that have sufficient
+permissions to manage keys in an Azure Key Vault instance. The [credentials](/vault/api-docs/secret/key-management/azurekeyvault#credentials) section of the API documentation describes the authentication parameters. The authentication parameters will be set with the following order
+of precedence:
+
+1. Environment variables
+2. [KMS provider credentials](/vault/api-docs/secret/key-management/azurekeyvault#credentials)
+3. [Managed Service Identity (MSI)](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview)
+
+If the client ID or secret are not provided and Vault is running on an Azure VM, Vault will attempt
+to use MSI to access Azure. Note that when MSI is used, the tenant ID must still be explicitly provided by the configuration or environment variable.
+
+An Azure Key Vault [access policy](https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal) determines whether a given service principal, namely an application or user group, can perform certain operations on a Key Vault instance. The service principal associated with the provided credentials must have an access policy on the Key Vault instance with the following minimum key permissions:
+
+- `create`
+- `delete`
+- `get`
+- `import`
+- `update`
+
+<Tip title="Use Terraform">
+
+If you are familiar with Terraform, you can use it to deploy the necessary Azure infrastructure. Refer to the [Terraform example](/vault/docs/secrets/key-management/azurekeyvault/setup#terraform-example) section.
+
+</Tip>
+
+## Key transfer specification
+
+Keys are securely transferred from the secrets engine to Azure key vault instances in accordance
+with the Azure [Bring Your Own Key](https://docs.microsoft.com/en-us/azure/key-vault/keys/byok-specification)
+specification.
+
+## Key purpose compatibility
+
+The following table defines which key [purposes](/vault/api-docs/secret/key-management#purpose) can be used
+for each key type supported by Azure Key Vault KMS.
+
+| Key Type       | Purpose                                                 |
+| -------------- | ------------------------------------------------------- |
+| `rsa-2048`     | [All purposes](/vault/api-docs/secret/key-management#purpose) |
+| `rsa-3072`     | [All purposes](/vault/api-docs/secret/key-management#purpose) |
+| `rsa-4096`     | [All purposes](/vault/api-docs/secret/key-management#purpose) |