exceptionfactory commented on a change in pull request #5435: URL: https://github.com/apache/nifi/pull/5435#discussion_r721629499
########## File path: nifi-docs/src/main/asciidoc/toolkit-guide.adoc ########## @@ -486,7 +486,22 @@ This protection scheme uses https://www.vaultproject.io/docs/secrets/kv/kv-v1[Ha This protection scheme uses https://aws.amazon.com/kms/[AWS Key Management] Service for encryption and decryption. AWS KMS configuration properties can be stored in the `bootstrap-aws.conf` file, as referenced in the `bootstrap.conf` of NiFi or NiFi Registry. If the configuration properties are not specified in `bootstrap-aws.conf`, then the provider will attempt to use the AWS default credentials provider, which checks standard environment variables and system properties. Therefore, when using the AWS_KMS protection scheme, the `nifi(.registry)?.bootstrap.protection.aws.kms.conf` property in the `bootstrap.conf` specified using the `-b` flag must be available to the Encrypt Configuration Tool and must be configured as described in the <<administration-guide.adoc#_aws_kms_provider, AWS KMS provider>> section in the link:administration-guide.html[NiFi Administration Guide]. ==== AZURE_KEYVAULT_KEY [[AZURE_KEYVAULT_KEY]] -This protection scheme uses keys managed by https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys[Azure Key Vault Keys] for encryption and decryption. Azure Key Vault configuration properties can be stored in the `bootstrap-azure.conf` file, as referenced in the `bootstrap.conf` of NiFi or NiFi Registry. The provider will utilize the Azure default credentials provider chain as described in the https://docs.microsoft.com/en-us/java/api/overview/azure/security-keyvault-keys-readme?view=azure-java-stable[Azure Key Vault Key client library for Java] documentation. Therefore, when using the AZURE_KEYVAULT_KEY protection scheme, the `nifi(.registry)?.bootstrap.protection.azure.keyvault.conf` property in the `bootstrap.conf` specified using the `-b` flag must be available to the Encrypt Configuration Tool and must be configured as described in the <<administration-guide.adoc#_azure_key_vault_key_provider, Azure Key Vault Key provider>> section in the link:administration-guide.ht ml[NiFi Administration Guide]. +This protection scheme uses keys managed by https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys[Azure Key Vault Keys] for encryption and decryption. +Azure Key Vault configuration properties can be stored in the `bootstrap-azure.conf` file, as referenced in the `bootstrap.conf` of NiFi or NiFi Registry. +The provider will utilize the Azure default credentials provider chain as described in the +https://docs.microsoft.com/en-us/java/api/overview/azure/security-keyvault-keys-readme?view=azure-java-stable[Azure Key Vault Key client library for Java] documentation. +Therefore, when using this protection scheme, the `nifi.bootstrap.protection.azure.keyvault.conf` property +in the `bootstrap.conf` specified using the `-b` flag must be available to the Encrypt Configuration Tool +and must be configured as described in the <<administration-guide.adoc#_azure_key_vault_key_provider, Azure Key Vault Key provider>> section in the link:administration-guide.html[NiFi Administration Guide]. + +==== AZURE_KEYVAULT_SECRET [[AZURE_KEYVAULT_SECRET]] +This protection scheme uses secrets managed by https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets[Azure Key Vault Secrets] for encryption and decryption. +Azure Key Vault configuration properties can be stored in the `bootstrap-azure.conf` file, as referenced in the `bootstrap.conf` of NiFi or NiFi Registry. +The provider will utilize the Azure default credentials provider chain as described in the +https://docs.microsoft.com/en-us/java/api/overview/azure/security-keyvault-keys-readme?view=azure-java-stable[Azure Key Vault Key client library for Java] documentation. Review comment: Thanks for the feedback @jfrazee! The first link for the Identity client seems to be the better one in terms of details. Without duplicating the description, do you think it is sufficient to describe the implementation in general by saying that it will attempt to reading from Azure-defined environment variables and system properties, with a fallback to managed identity credentials? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
