shankar0123
d809874fa1
Per operator decision the framework-mapping docs are gone. They
were aspirational (no audit, no certification, no validated
mapping); keeping them around was misleading.
Files deleted (1,883 lines):
- docs/compliance/index.md
- docs/compliance/soc2.md
- docs/compliance/pci-dss.md
- docs/compliance/nist-sp-800-57.md
Hyperlinks removed:
- README.md: 'Auditor / compliance' row in the doc table; the
'(compliance mapping included)' parenthetical in the
positioning paragraph
- docs/README.md: the '## Compliance' section table; the
'Auditor / compliance team' reading-order-by-role row
Prose name-drops swept across 24 files:
- README.md: 'FedRAMP boundary CAs / financial-services policy
CAs' → '4-level boundary CAs / 3-level policy CAs';
'Compliance-grade for PCI-DSS Level 1, FedRAMP Moderate / High,
SOC 2 Type II, HIPAA' → cut entirely
- getting-started/{quickstart,concepts,examples,why-certctl,
advanced-demo}.md: 'compliance' → 'audit' / 'policy';
'PCI-DSS / SOC 2 / NIST SP 800-57' framework lists cut;
''pci': 'true'' tag example → ''environment': 'production''
- migration/cert-manager-coexistence.md: 'compliance rules' →
'policy rules'
- operator/approval-workflow.md: 'Compliance customers (PCI-DSS
Level 1, FedRAMP Moderate / High, SOC 2 Type II, HIPAA)' →
'Operators'; entire 'Compliance control mapping' table
(PCI-DSS §6.4.5 / NIST SP 800-53 SA-15 / SOC 2 Type II CC6.1
/ HIPAA §164.308(a)(4)) deleted; 'compliance contract' →
'two-person-integrity contract'; 'compliance auditors' →
'reviewers'
- operator/legacy-clients-tls-1.2.md: 'PCI-DSS v4.0 Req 4 §2.2.5'
audit-reference → CWE-326 (kept); 'PCI-DSS Req 4 §2.2.5
attestation' section retitled to 'TLS posture summary' and
rewritten without framework framing; 'PCI-DSS, NIST, and
major browsers will eventually deprecate TLS 1.2' →
'Major browsers and OS vendors will eventually deprecate
TLS 1.2'
- operator/database-tls.md: PCI-DSS Req 4 §2.2.5 audit-ref →
CWE-319 only; 'PCI-DSS scope' → 'sensitive data'; PCI-DSS
Req 4 v4.0 prose footing → cut
- operator/runbooks/disaster-recovery.md: 'SOC 2 / PCI
procurement-team deliverable' → 'on-call deliverable';
'compliance auditors' → 'reviewers'
- reference/connectors/{acme,aws-acm,azure-kv,globalsign,
local-ca,openssl,ssh,index}.md: 'compliance reporting
(PCI-DSS §3.6, HIPAA §164.312)' → 'audit reporting';
'Compliance environments (PCI-DSS Level 1, FedRAMP High,
HIPAA)' → 'Regulated environments'; 'compliance audits' →
'audit'; 'FedRAMP boundary CA' pattern names →
'4-level boundary CA' (technically descriptive)
- reference/protocols/est.md: 'compliance-hook seam' →
'device-state hook seam'; 'compliance gating' → 'device-state
gating'; 'est_compliance_failed' → 'est_device_state_failed'
- reference/protocols/scep-intune.md: 'Optional compliance
check' → 'Optional device-state check'; failure-counter
'compliance_failed' → 'device_state_failed'; 'Conditional
Access compliance gating' → 'Conditional Access
device-state gating'
- reference/intermediate-ca-hierarchy.md: 'FedRAMP boundary-CA
deployments where the regulator requires...' →
'Boundary-CA deployments where you want separation of policy
and issuing authorities'; pattern A retitled '4-level FedRAMP
boundary CA' → '4-level boundary CA'
- reference/architecture.md: broken Related-docs link to
compliance.md removed; the rest of that block had stale
pre-Phase-2 paths (quickstart.md, demo-advanced.md,
connectors.md, openapi.md, testing-guide.md, test-env.md) —
retargeted to current locations
- reference/deployment-model.md: 'SOC 2 evidence-report
generator' → 'Audit-evidence report generator'
- reference/vendor-matrix.md: 'SOC 2 / PCI auditors paste this
into evidence packs' → 'reviewers paste this into
vendor-evaluation packs'
- contributor/qa-test-suite.md: 'compliance exist' coverage
description cut; 'Compliance (PCI / SOC2 / HIPAA-relevant)'
risk-class label → 'Audit-relevant'
What was kept:
- CWE references (legitimate technical pointers)
- Microsoft API/feature names that happen to use 'compliance'
literally ('Microsoft Graph compliance API',
'device-compliance validators' — these are MS product names,
not framework name-drops)
- 'NIST PQC' on the landing page (Post-Quantum Cryptography is
the actual NIST standard family, not a compliance framework)
Verified: zero hyperlinks into docs/compliance/ remain. All 24
ci-guards/*.sh pass locally. qa-doc-seed-count.sh clean.
Net diff: 26 files / -1,883 deletions in compliance/ + -32 net
across the prose sweep.
Companion edits in cowork/ (CLAUDE.md doc-tree summary +
WORKSPACE-CHANGELOG.md retirement note) land separately.
7.9 KiB
Azure Key Vault Target Connector — Operator Deep-Dive
Last reviewed: 2026-05-05
Operator-grade documentation for the Azure Key Vault target connector. For the connector-development context (interface contract, registry, atomic deploy primitive shared across all targets), see the connector index.
Overview
The Azure Key Vault target connector deploys certificates into Azure Key Vault — the Azure-managed cert/secret store that Application Gateway / Front Door / App Service / Container Apps consume by KID URI. Rank 5 (Azure half) of the 2026-05-03 Infisical deep-research deliverable.
Implementation lives at internal/connector/target/azurekv/.
When to use this connector
Use the Azure Key Vault target connector when:
- TLS terminates at Azure-managed edges (Application Gateway, Front Door, App Service, Container Apps) and those services consume certs by Key Vault KID URI.
- You need short-lived Azure credentials (managed identity, workload identity) rather than long-lived service-principal secrets.
- You need cross-region or cross-cloud-environment Key Vault
endpoints (US-Gov
.vault.usgovcloudapi.net, China.vault.azure.cn).
Look elsewhere when:
- The target is an Azure VM running NGINX / IIS / HAProxy directly — those connectors are simpler.
- The cert is for an internal Azure service that doesn't read from Key Vault (e.g. a custom .NET app reading PEM from disk).
Configuration
{
"vault_url": "https://my-vault.vault.azure.net",
"certificate_name": "api-prod",
"tags": {"env": "production", "app": "api-gateway"},
"credential_mode": "managed_identity"
}
| Field | Default | Description |
|---|---|---|
vault_url |
(required) | Key Vault DNS endpoint (https://<vault-name>.vault.azure.net). For US-Gov: .vault.usgovcloudapi.net; for China: .vault.azure.cn. |
certificate_name |
(required) | Cert object name in the vault (1-127 chars, alphanumeric + hyphens). Versions are auto-generated per import. |
tags |
— | Tags applied at every import (Key Vault carries tags forward across versions, unlike ACM). Reserved keys certctl-managed-by + certctl-certificate-id are set automatically. |
credential_mode |
default |
One of default / managed_identity / client_secret / workload_identity. See "Auth recipes" below. |
RBAC role (minimum permissions)
The off-the-shelf builtin role Key Vault Certificates Officer
covers everything. For minimum-permission deploys, use a custom
role with these data-plane operations on the vault scope
(/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.KeyVault/vaults/<vault-name>):
Microsoft.KeyVault/vaults/certificates/import/action
Microsoft.KeyVault/vaults/certificates/read
Microsoft.KeyVault/vaults/certificates/listversions/read
Auth recipes
- AKS workload identity (
credential_mode: workload_identity) — recommended for AKS deploys. Annotate the agent's ServiceAccount withazure.workload.identity/client-id=<app-id>. The AKS cluster's OIDC issuer + the federated credential on the app registration handle token exchange; no long-lived secrets. - Managed identity (
credential_mode: managed_identity) — recommended for VM / App Service deploys. Assign a system-assigned or user-assigned managed identity to the host; certctl-server / agent picks it up via IMDS. Pincredential_moderather than lettingdefaultfall through to env vars (defends against accidental local-dev creds leaking into production). - Service principal (
credential_mode: client_secret). ConfigureAZURE_TENANT_ID+AZURE_CLIENT_ID+AZURE_CLIENT_SECRETenv vars on the agent. NOT recommended for production — long-lived client secret risk; rotate via Key Vault soft-delete recovery if leaked. - Default (
credential_mode: defaultor unset). SDK'sDefaultAzureCredentialwalks env vars → managed identity → Azure CLI fallback. Useful for local-dev where the operator already hasaz loginactive. - Long-lived secrets in connector Config NOT supported — same procurement-readability rule as AWS ACM.
Atomic-rollback contract + Azure-version semantics
Every DeployCertificate snapshots the existing latest version
via GetCertificate(name, "" /* latest */) BEFORE calling
ImportCertificate. After import, the connector re-fetches the
latest version and compares serial numbers.
On serial-mismatch, the connector calls ImportCertificate
again with the snapshotted CER bytes (re-PFX'd with the
operator's key) — as a NEW VERSION. Key Vault doesn't
support "version-restore" without soft-delete recovery (which we
keep off the minimum-RBAC surface). The version history will
show e.g. v1=initial, v2=failed-renewal, v3=rollback-of-v2;
operators reading audit dashboards filter by tag.
Soft-delete caveat
V2 doesn't manage Key Vault soft-delete recovery. If a previous
version was soft-deleted out-of-band (e.g. operator ran
az keyvault certificate delete), the rollback re-imports the
snapshot bytes as a new version rather than restoring the
soft-deleted version. Operators alerting on rollback frequency
should also watch for soft-delete events.
App Gateway / Front Door attachment recipe
data "azurerm_key_vault_certificate" "certctl_managed" {
name = "api-prod"
key_vault_id = azurerm_key_vault.main.id
}
resource "azurerm_application_gateway" "main" {
# ...
ssl_certificate {
name = "certctl-managed"
key_vault_secret_id = data.azurerm_key_vault_certificate.certctl_managed.secret_id
}
}
Application Gateway / Front Door reference the cert by KID URI;
certctl rotates the version under the same name, and the AGW /
Front Door reference auto-resolves to the latest version (the
SDK's behaviour when the KID points to
/certificates/<name>/<version> vs /certificates/<name>
differs — the latter auto-tracks "latest"; the former pins).
Pin the version-less KID for auto-tracking renewals.
Threat model carve-outs
- Cert key bytes never written to disk on the agent. PFX
wrapping happens in memory (PKCS#12 via
software.sslmate.com/src/go-pkcs12); the base64-encoded PFX is passed straight to the SDK'sImportCertificatecall. - Provenance tags are mandatory. Same
certctl-managed-by=certctl+certctl-certificate-id=<mc-id>shape as AWS ACM. Operators identifying a stray Key Vault cert match againstcertctl-managed-by. - No long-lived Azure credentials in
Config.Configcarries vault URL + cert name + operator tags + credential mode only. Auth is the Azure SDK credential chain. credential_mode: managed_identityis the recommended production posture. Defends against accidental env-var creds leaking into deployments where the host already has a managed identity assigned.
Procurement checklist crib
Paste into security review:
- certctl uses Azure managed identity (or workload identity for AKS), not long-lived service-principal secrets.
- The cert key is held only in agent memory during the PFX wrap
- import call; never written to disk.
- Every imported Key Vault cert is tagged with
certctl-managed-by=certctl+certctl-certificate-id=<mc-id>for forensic traceability. - Failed imports trigger automatic rollback by re-importing the snapshotted previous version's bytes; both outcomes are surfaced via Prometheus.
- The minimum RBAC role is 3 data-plane actions; Activity Log captures every API call for audit.
ValidateOnly contract
Key Vault has no dry-run API; ValidateOnly returns
target.ErrValidateOnlyNotSupported. Operators preview deploys
via ValidateConfig + az keyvault certificate show --vault-name <name> --name <cert>.
Related docs
- Connector index — interface contract, registry, deploy primitive
- AWS ACM target — AWS equivalent target
- Cloud targets runbook — operator playbook covering both AWS ACM and Azure KV