Azure secrets engine, ability to specify static SPN secret expiry #178
Labels
enhancement
New feature or request
Comments
|
Hello, We need the same improvement. Secrets expiration is limited to 6 month by our security team. |
|
Thanks, this seems like a reasonable request. I'm going to transfer it to https://github.com/hashicorp/vault-plugin-secrets-azure. |
gsantos-hc
added a commit
to gsantos-hc/vault-plugin-secrets-azure
that referenced
this issue
May 1, 2024
Add `explicit_max_ttl` to Azure role attributes. If set, Application Secrets in Azure AD will be created with a maximum lifetime equal to `explicit_max_ttl` instead of the hard-coded 10-year default in effect until now. Fixes hashicorp#178 Fixes VAULT-12316
gsantos-hc
added a commit
to gsantos-hc/vault-plugin-secrets-azure
that referenced
this issue
May 3, 2024
Add `explicit_max_ttl` to Azure role attributes. If set, Application Secrets in Azure AD will be created with a maximum lifetime equal to `explicit_max_ttl` instead of the hard-coded 10-year default in effect until now. Fixes hashicorp#178 Fixes VAULT-12316
gsantos-hc
added a commit
to gsantos-hc/vault-plugin-secrets-azure
that referenced
this issue
Jun 21, 2024
Add `explicit_max_ttl` to Azure role attributes. If set, Application Secrets in Azure AD will be created with a maximum lifetime equal to `explicit_max_ttl` instead of the hard-coded 10-year default in effect until now. Fixes hashicorp#178 Fixes VAULT-12316
gsantos-hc
added a commit
to gsantos-hc/vault-plugin-secrets-azure
that referenced
this issue
Jun 25, 2024
Add `explicit_max_ttl` to Azure role attributes. If set, Application Secrets in Azure AD will be created with a maximum lifetime equal to `explicit_max_ttl` instead of the hard-coded 10-year default in effect until now. Leases are renewable unless or until the remaining Azure-side lifetime is shorter than the role's configured TTL. Marking a lease as non-renewable signals to clients that they must obtain a new lease/secret when the existing one is approaching the limit that was originally set through `explicit_max_ttl`. Fixes hashicorp#178 Fixes VAULT-12316
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We require the flexibility to specify the expiration for secrets associated with static Service Principals in Azure. Vault hard-codes the expiration to 10 years. Our policy requires these secrets to be rotated every 6 months and for us to set expiration dates accordingly. The TTLs we will be assigning to Azure Secrets Roles in Vault will be well short of 6 months for the most part.
The text was updated successfully, but these errors were encountered: