Merge pull request #2922 from Infisical/feat/authenticate-key-vault-against-specific-tenant

feat: auth key vault against specific tenant
2026-01-09 15:38:03 -05:00 · 2024-12-29 08:18:52 -05:00
parent b45d9398f0 7f6bc3ecfe
commit f9b0b6700a
5 changed files with 114 additions and 1 deletions
--- a/docs/images/integrations/azure-key-vault/integrations-azure-key-vault-tenant-select.png
+++ b/docs/images/integrations/azure-key-vault/integrations-azure-key-vault-tenant-select.png
--- a/docs/integrations/cloud/azure-app-configuration.mdx
+++ b/docs/integrations/cloud/azure-app-configuration.mdx
@@ -29,6 +29,15 @@ description: "How to sync secrets from Infisical to Azure App Configuration"
        ![integrations](../../images/integrations/azure-app-configuration/create-integration-form.png)

        Press create integration to start syncing secrets to Azure App Configuration.
+
+        <Note>
+          The Azure App Configuration integration requires the following permissions to be set on the user / service principal
+          for Infisical to sync secrets to Azure App Configuration: `Read Key-Value`, `Write Key-Value`, `Delete Key-Value`.
+
+          Any role with these permissions would work such as the **App Configuration Data Owner** role. Alternatively, you can use the
+          **App Configuration Data Reader** role for read-only access or **App Configuration Data Contributor** role for read/write access.
+        </Note>
+
      </Step>
      <Step title="Additional Configuration">

--- a/docs/integrations/cloud/azure-key-vault.mdx
+++ b/docs/integrations/cloud/azure-key-vault.mdx
@@ -17,6 +17,10 @@ description: "How to sync secrets from Infisical to Azure Key Vault"
        ![integrations](../../images/integrations.png)

        Press on the Azure Key Vault tile and grant Infisical access to Azure Key Vault.
+        You can optionally authenticate against a specific tenant by providing the Azure tenant or directory ID.
+
+        ![integrations](/images/integrations/azure-key-vault/integrations-azure-key-vault-tenant-select.png)
+
      </Step>
      <Step title="Start integration">
        Obtain the Vault URI of your key vault in the Overview tab.
--- a/frontend/src/pages/integrations/azure-key-vault/authorize.tsx
+++ b/frontend/src/pages/integrations/azure-key-vault/authorize.tsx
@@ -0,0 +1,100 @@
+import { Controller, useForm } from "react-hook-form";
+import Head from "next/head";
+import Image from "next/image";
+import Link from "next/link";
+import { useRouter } from "next/router";
+import { faArrowUpRightFromSquare, faBookOpen } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { zodResolver } from "@hookform/resolvers/zod";
+import z from "zod";
+
+import { Button, Card, CardTitle, FormControl, Input } from "@app/components/v2";
+
+const schema = z.object({
+  tenantId: z.string().trim().optional()
+});
+
+type FormData = z.infer<typeof schema>;
+
+export default function AzureKeyVaultAuthorizeIntegrationPage() {
+  const router = useRouter();
+  const { state, clientId } = router.query;
+  const { control, handleSubmit } = useForm<FormData>({
+    resolver: zodResolver(schema)
+  });
+
+  const onFormSubmit = async ({ tenantId }: FormData) => {
+    const link = `https://login.microsoftonline.com/${
+      tenantId ?? "common"
+    }/oauth2/v2.0/authorize?client_id=${clientId}&response_type=code&redirect_uri=${
+      window.location.origin
+    }/integrations/azure-key-vault/oauth2/callback&response_mode=query&scope=https://vault.azure.net/.default openid offline_access&state=${state}`;
+
+    window.location.assign(link);
+  };
+
+  return (
+    <div className="flex h-full w-full items-center justify-center">
+      <Head>
+        <title>Authorize Azure Key Vault Integration</title>
+        <link rel="icon" href="/infisical.ico" />
+      </Head>
+      <Card className="mb-12 max-w-lg rounded-md border border-mineshaft-600">
+        <CardTitle
+          className="px-6 text-left text-xl"
+          subTitle="Authenticate with a specific tenant ID or let OAuth handle it automatically."
+        >
+          <div className="flex flex-row items-center">
+            <div className="flex items-center pb-0.5">
+              <Image
+                src="/images/integrations/Microsoft Azure.png"
+                height={30}
+                width={30}
+                alt="Azure logo"
+              />
+            </div>
+            <span className="ml-2.5">Azure Key Vault Integration </span>
+            <Link href="https://infisical.com/docs/integrations/cloud/azure-key-vault" passHref>
+              <a target="_blank" rel="noopener noreferrer">
+                <div className="ml-2 mb-1 inline-block cursor-default rounded-md bg-yellow/20 px-1.5 pb-[0.03rem] pt-[0.04rem] text-sm text-yellow opacity-80 hover:opacity-100">
+                  <FontAwesomeIcon icon={faBookOpen} className="mr-1.5" />
+                  Docs
+                  <FontAwesomeIcon
+                    icon={faArrowUpRightFromSquare}
+                    className="ml-1.5 mb-[0.07rem] text-xxs"
+                  />
+                </div>
+              </a>
+            </Link>
+          </div>
+        </CardTitle>
+        <form onSubmit={handleSubmit(onFormSubmit)} className="px-6 pb-8 text-right">
+          <Controller
+            control={control}
+            name="tenantId"
+            render={({ field, fieldState: { error } }) => (
+              <FormControl
+                label="Tenant ID (optional)"
+                errorText={error?.message}
+                isError={Boolean(error)}
+              >
+                <Input {...field} placeholder="2e39537c-9a01-4bd6-a7b8-c3b88cbb8db9" />
+              </FormControl>
+            )}
+          />
+          <Button
+            colorSchema="primary"
+            variant="outline_bg"
+            className="mt-2 w-min"
+            size="sm"
+            type="submit"
+          >
+            Connect to Azure Key Vault
+          </Button>
+        </form>
+      </Card>
+    </div>
+  );
+}
+
+AzureKeyVaultAuthorizeIntegrationPage.requireAuth = true;
--- a/frontend/src/views/IntegrationsPage/IntegrationPage.utils.tsx
+++ b/frontend/src/views/IntegrationsPage/IntegrationPage.utils.tsx
@@ -69,7 +69,7 @@ export const redirectForProviderAuth = (integrationOption: TCloudIntegration) =>
          createIntegrationMissingEnvVarsNotification(integrationOption.slug);
          return;
        }
-        link = `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=${integrationOption.clientId}&response_type=code&redirect_uri=${window.location.origin}/integrations/azure-key-vault/oauth2/callback&response_mode=query&scope=https://vault.azure.net/.default openid offline_access&state=${state}`;
+        link = `${window.location.origin}/integrations/azure-key-vault/authorize?clientId=${integrationOption.clientId}&state=${state}`;
        break;
      case "azure-app-configuration":
        if (!integrationOption.clientId) {