From 0785bcc8df6de16459465b59ac929afae57eb2c3 Mon Sep 17 00:00:00 2001 From: DevOps Rob Date: Thu, 9 Jan 2020 01:43:45 +0000 Subject: [PATCH] Azure MSI for cloud auto-join (#7000) * Azure MSI documentation Adding in note about support for Azure MSI authentication method for Cloud auto-join * fixing text formatting fixing text formatting * missing word missing word - variable * Update website/source/docs/agent/cloud-auto-join.html.md Language change to be specific about where the security risk mitigation is concerned Co-Authored-By: Jack Pearkes Co-authored-by: Jack Pearkes --- website/source/docs/agent/cloud-auto-join.html.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/website/source/docs/agent/cloud-auto-join.html.md b/website/source/docs/agent/cloud-auto-join.html.md index 5fe41179ae..19b3a6ea71 100644 --- a/website/source/docs/agent/cloud-auto-join.html.md +++ b/website/source/docs/agent/cloud-auto-join.html.md @@ -123,6 +123,8 @@ When using tags the only permission needed is `Microsoft.Network/networkInterfac When using Virtual Machine Scale Sets the only role action needed is `Microsoft.Compute/virtualMachineScaleSets/*/read`. +~> **Note:** If the Consul cluster is hosted on Azure, Consul can use Managed Service Identities (MSI) to access Azure instead of an environment variable and shared client id and secret. MSI must be enabled on the VMs hosting Consul, and it is the preferred configuration since MSI prevents your Azure credentials from being stored in Consul configuration. This feature is supported from Consul 1.7 and above. + ### Google Compute Engine This returns the first private IP address of all servers in the given @@ -402,4 +404,4 @@ $ consul agent -retry-join "provider=k8s label_selector=\"app=consul,component=s - `field_selector` (optional) - the field selector for matching pods. The Kubernetes token used by the provider needs to have permissions to list pods -in the desired namespace. \ No newline at end of file +in the desired namespace.