Boundary
azurekeyvault KMS
The Azure Key Vault KMS configures Boundary to use Azure Key Vault for key management. The Azure Key Vault KMS is activated by one of the following:
- The presence of a
seal "azurekeyvault"block in Boundary's configuration file.
azurekeyvault example
This example shows configuring Azure Key Vault KMS through the Boundary configuration file by providing all the required values:
kms "azurekeyvault" {
purpose = "root"
tenant_id = "46646709-b63e-4747-be42-516edeaf1e14"
client_id = "03dc33fc-16d9-4b77-8152-3ec568f8af6e"
client_secret = "DUJDS3..."
vault_name = "hc-vault"
key_name = "vault_key"
}
azurekeyvault parameters
These parameters apply to the kms stanza in the Vault configuration file:
purpose- Purpose of this KMS, acceptable values are:worker-auth,worker-auth-storage,root,previous-root,recovery,bsr, orconfig.tenant_id(string: <required>): The tenant id for the Azure Active Directory organization. May also be specified by theAZURE_TENANT_IDenvironment variable.client_id(string: <required or MSI>): The client id for credentials to query the Azure APIs. May also be specified by theAZURE_CLIENT_IDenvironment variable.client_secret(string: <required or MSI>): The client secret for credentials to query the Azure APIs. May also be specified by theAZURE_CLIENT_SECRETenvironment variable.environment(string: "AZUREPUBLICCLOUD"): The Azure Cloud environment API endpoints to use. May also be specified by theAZURE_ENVIRONMENTenvironment variable.vault_name(string: <required>): The Key Vault vault to use the encryption keys for encryption and decryption. May also be specified by theAZUREKEYVAULT_WRAPPER_VAULT_NAMEenvironment variable.key_name(string: <required>): The Key Vault key to use for encryption and decryption. May also be specified by theAZUREKEYVAULT_WRAPPER_KEY_NAMEenvironment variable.
Authentication
Authentication-related values must be provided, either as environment variables or as configuration parameters.
Azure authentication values: