Vault Auto-Auth Azure method

The azure method reads in Azure instance credentials and uses them to authenticate with the Azure Auth method. It reads most parameters needed for authentication directly from instance information based on the value of the resource parameter.

Configuration

role (string: required) - The role to authenticate against on Vault
authenticate_from_environment (boolean: false) - If set to true, will attempt to make an Azure identity object through Azure specific environment variables, in priority order and as specified in Azure documentation. Will work seamlessly with Azure Workload Identity and others.

Note: If authenticate_from_environment is set to true, object_id, and client_id will be ignored in favour of that authentication approach.

scope (string: optional) - The scope to use when obtaining a token. If not supplied, will default to the value used for resource appended with "/.default" appended as a suffix. For more information on scopes in Azure, see this document.
resource (string: required) - The resource name to use when getting identity information.
object_id (string: optional) - The object ID of the user-assigned managed identity to use when acquiring an access token. Only one of object_id or client_id may be provided.
client_id (string: optional) - The client ID of the user-assigned managed identity to use when acquiring an access token. Only one of object_id or client_id may be provided.

Example configuration

Example client auto-auth configuration block for an Azure Workload Identity:

auto_auth {
  method {
    type = "azure"
    config = {
      authenticate_from_environment = true
      role = "dev-role"
      resource = "https://management.azure.com/"
    }
  }
}