upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-02-03 20:40:45 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Update azure.mdx for adding one section around known issue & its fix (#30072)

Browse source 
* Update azure.mdx

Added one section around one known issue & how to fix it, while using Azure Auth method for workload/application running on K8s.

* Update website/content/docs/auth/azure.mdx

* Update website/content/docs/auth/azure.mdx

* Update website/content/docs/auth/azure.mdx

* Update website/content/docs/auth/azure.mdx

---------

Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
This commit is contained in:
himanshu-8693 2025-07-17 05:53:30 +05:30 committed by GitHub
parent ce9c011706
commit 465375fea4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 32 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
website/content/docs/auth/azure.mdx
View file

@ -400,6 +400,38 @@ have a time-to-live of 1 hour and automatically refresh when they expire.
Please see the [API documentation](/vault/api-docs/auth/azure#configure)
for more details on the fields associated with plugin WIF.
## Known issues and workarounds
### OIDC ID token error
Users have reported an [issue](https://github.com/hashicorp/vault-plugin-auth-azure/issues/141#issuecomment-2757840078), where workloads running inside AKS with Azure authentication on Vault servers deployed to Azure VM throw following error:
**Error**
```
oidc: id token issued by a different provider, expected "https://sts.windows.net/TenantID/" got "https://login.microsoftonline.com/TenantId/v2.0"
```
The error occured because `vault-agent-init` container by default uses `auth-type` as `kubernetes`.
Ref. https://developer.hashicorp.com/vault/docs/platform/k8s/injector/annotations#vault-hashicorp-com-auth-type
We need to explicitly define the azure auth method using annotation `vault.hashicorp.com/auth-type: 'azure'`.
Also, we need to pass resource field which is mandatory, that is why we need to pass another annotation `vault.hashicorp.com/auth-config-resource: "https://management.azure.com/"`.
Ref. https://developer.hashicorp.com/vault/docs/platform/k8s/injector/annotations#vault-hashicorp-com-auth-config
https://developer.hashicorp.com/vault/docs/agent-and-proxy/autoauth/methods/azure#resource
_Annotations to use:-_
```
...
annotations:
vault.hashicorp.com/auth-type: 'azure'
vault.hashicorp.com/auth-config-resource: "https://management.azure.com/"
...
```
## API
The Azure Auth Plugin has a full HTTP API. Please see the [API documentation](/vault/api-docs/auth/azure) for more details.