hashicorp · kevin-loehfelm · Aug 27, 2025 · Aug 27, 2025 · Aug 27, 2025 · Aug 27, 2025
@@ -206,10 +206,11 @@ information about roles.
   [roles docs][roles] for details on role definition.
 - `persist_app` (`bool: "false"`) – If set to true, persists the created service principal and application for the lifetime of the role.
  Useful for when the Service Principal needs to maintain ownership of objects it creates
-- `ttl` (`string: ""`) – Specifies the default TTL for service principals generated using this role.
+- `ttl` (`string: ""`) – Specifies the default TTL for service principals generated using the role.
   Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
-- `max_ttl` (`string: ""`) – Specifies the maximum TTL for service principals generated using this role. Accepts time
-  suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
+- `max_ttl` (`string: "0"`) – Specifies the maximum TTL for service principals
+  generated using the role. Accepts time suffixed strings ("1h") or an integer
+  number of seconds. The default (`0`) defers to the system/engine max TTL time.
 - `permanently_delete` (`bool: false`) - Specifies whether to permanently delete Applications and Service Principals that are dynamically
   created by Vault. If `application_object_id` is present, `permanently_delete` must be `false`.
 - `sign_in_audience` (`string: ""`) - Specifies the security principal types that are allowed to sign in to the application.
@@ -231,9 +232,9 @@ information about roles.
     }
   ]",
   "ttl": 3600,
-  "max_ttl": "24h"
-  "sign_in_audience": "AzureADMyOrg"
-  "tags": "team:engineering","environment:development"
+  "max_ttl": "24h",
+  "sign_in_audience": "AzureADMyOrg",
+  "tags": "team:engineering, environment:development"
 }
 ```
 
@@ -247,6 +248,63 @@ $ curl \
     https://127.0.0.1:8200/v1/azure/roles/my-role
 ```
 
+## Read role
+
+The Read Role endpoint returns information about the named role:
+
+- Configuration details for roles created in Vault 1.20+.
+- The constant `invalid_data` for roles created in earlier versions of Vault.
+- A `404` error if the named role does not exist.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/azure/roles/:name` |
+
+
+### Path parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to read. This
+  is part of the request URL.
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/azure/roles/example-role
+```
+
+### Sample response
+
+```json
+{
+  "data": {
+    "application_object_id": "",
+    "azure_groups": null,
+    "azure_roles": [
+      {
+        "role_name": "Contributor",
+        "scope": "/subscriptions/<uuid>>/resourceGroups/Website"
+      },
+      {
+        "role_id": "/subscriptions/<uuid>>/providers/Microsoft.Authorization/roleDefinitions/<uuid>",
+        "scope": "/subscriptions/<uuid>"
+      }
+    ],
+    "ttl": 3600,
+    "max_ttl": 0,
+    "explicit_max_ttl": 0,
+    "permanently_delete": false,
+    "persist_app": false,
+    "sign_in_audience": "AzureADMyOrg",
+    "tags": [
+      "team:engineering",
+      "team:development"
+    ],
+  }
+}
+```
+
 ## List roles
 
 Lists all of the roles that are registered with the plugin.

@@ -212,10 +212,11 @@ information about roles.
   [roles docs][roles] for details on role definition.
 - `persist_app` (`bool: "false"`) – If set to true, persists the created service principal and application for the lifetime of the role.
  Useful for when the Service Principal needs to maintain ownership of objects it creates
-- `ttl` (`string: ""`) – Specifies the default TTL for service principals generated using this role.
+- `ttl` (`string: ""`) – Specifies the default TTL for service principals generated using the role.
   Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
-- `max_ttl` (`string: ""`) – Specifies the maximum TTL for service principals generated using this role. Accepts time
-  suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
+- `max_ttl` (`string: "0"`) – Specifies the maximum TTL for service principals
+  generated using the role. Accepts time suffixed strings ("1h") or an integer
+  number of seconds. The default (`0`) defers to the system/engine max TTL time.
 - `permanently_delete` (`bool: false`) - Specifies whether to permanently delete Applications and Service Principals that are dynamically
   created by Vault. If `application_object_id` is present, `permanently_delete` must be `false`.
 - `sign_in_audience` (`string: ""`) - Specifies the security principal types that are allowed to sign in to the application.
@@ -237,9 +238,9 @@ information about roles.
     }
   ]",
   "ttl": 3600,
-  "max_ttl": "24h"
-  "sign_in_audience": "AzureADMyOrg"
-  "tags": "team:engineering,environment:development"
+  "max_ttl": "24h",
+  "sign_in_audience": "AzureADMyOrg",
+  "tags": "team:engineering, environment:development"
 }
 ```
 
@@ -253,6 +254,63 @@ $ curl \
     https://127.0.0.1:8200/v1/azure/roles/my-role
 ```
 
+## Read role
+
+The Read Role endpoint returns information about the named role:
+
+- Configuration details for roles created in Vault 1.20+.
+- The constant `invalid_data` for roles created in earlier versions of Vault.
+- A `404` error if the named role does not exist.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/azure/roles/:name` |
+
+
+### Path parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to read. This
+  is part of the request URL.
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/azure/roles/example-role
+```
+
+### Sample response
+
+```json
+{
+  "data": {
+    "application_object_id": "",
+    "azure_groups": null,
+    "azure_roles": [
+      {
+        "role_name": "Contributor",
+        "scope": "/subscriptions/<uuid>>/resourceGroups/Website"
+      },
+      {
+        "role_id": "/subscriptions/<uuid>>/providers/Microsoft.Authorization/roleDefinitions/<uuid>",
+        "scope": "/subscriptions/<uuid>"
+      }
+    ],
+    "ttl": 3600,
+    "max_ttl": 0,
+    "explicit_max_ttl": 0,
+    "permanently_delete": false,
+    "persist_app": false,
+    "sign_in_audience": "AzureADMyOrg",
+    "tags": [
+      "team:engineering",
+      "team:development"
+    ],
+  }
+}
+```
+
 ## List roles
 
 Lists all of the roles that are registered with the plugin.

@@ -212,12 +212,18 @@ information about roles.
   [roles docs][roles] for details on role definition.
 - `persist_app` (`bool: "false"`) – If set to true, persists the created service principal and application for the lifetime of the role.
  Useful for when the Service Principal needs to maintain ownership of objects it creates
-- `ttl` (`string: ""`) – Specifies the default TTL for service principals generated using this role.
+- `ttl` (`string: ""`) – Specifies the default TTL for service principals generated using the role.
   Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
-- `max_ttl` (`string: ""`) – Specifies the maximum TTL for service principals generated using this role. Accepts time
-  suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
-- `explicit_max_ttl` (`string: ""`) – Specifies the explicit maximum lifetime of the lease and service principal.
-  If not set or set to 0, will use the system default (10 years).
+- `max_ttl` (`string: "0"`) – Specifies the maximum TTL for service principals
+  generated using the role. Accepts time suffixed strings ("1h") or an integer
+  number of seconds. The default (`0`) defers to the system/engine max TTL time.
+- `explicit_max_ttl` (`string: "0"`) – Limits the lifetime of the service
+  principal secret in Azure and sets an upper bound on the TTL for the
+  corresponding lease. You cannot update the service principle lifetime of an
+  existing lease and clients cannot renew a lease once the lifetime expires.
+  Use the default (`0`) to create the service principal with a max TTL of 10
+  years. When the lifetime ends, Vault deletes the service principal and all
+  corresponding leases.
 - `permanently_delete` (`bool: false`) - Specifies whether to permanently delete Applications and Service Principals that are dynamically
   created by Vault. If `application_object_id` is present, `permanently_delete` must be `false`.
 - `sign_in_audience` (`string: ""`) - Specifies the security principal types that are allowed to sign in to the application.
@@ -255,6 +261,63 @@ $ curl \
     https://127.0.0.1:8200/v1/azure/roles/my-role
 ```
 
+## Read role
+
+The Read Role endpoint returns information about the named role:
+
+- Configuration details for roles created in Vault 1.20+.
+- The constant `invalid_data` for roles created in earlier versions of Vault.
+- A `404` error if the named role does not exist.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/azure/roles/:name` |
+
+
+### Path parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to read. This
+  is part of the request URL.
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/azure/roles/example-role
+```
+
+### Sample response
+
+```json
+{
+  "data": {
+    "application_object_id": "",
+    "azure_groups": null,
+    "azure_roles": [
+      {
+        "role_name": "Contributor",
+        "scope": "/subscriptions/<uuid>>/resourceGroups/Website"
+      },
+      {
+        "role_id": "/subscriptions/<uuid>>/providers/Microsoft.Authorization/roleDefinitions/<uuid>",
+        "scope": "/subscriptions/<uuid>"
+      }
+    ],
+    "ttl": 3600,
+    "max_ttl": 0,
+    "explicit_max_ttl": 0,
+    "permanently_delete": false,
+    "persist_app": false,
+    "sign_in_audience": "AzureADMyOrg",
+    "tags": [
+      "team:engineering",
+      "team:development"
+    ],
+  }
+}
+```
+
 ## List roles
 
 Lists all of the roles that are registered with the plugin.

@@ -214,12 +214,18 @@ information about roles.
   [roles docs][roles] for details on role definition.
 - `persist_app` (`bool: "false"`) – If set to true, persists the created service principal and application for the lifetime of the role.
  Useful for when the Service Principal needs to maintain ownership of objects it creates
-- `ttl` (`string: ""`) – Specifies the default TTL for service principals generated using this role.
+- `ttl` (`string: ""`) – Specifies the default TTL for service principals generated using the role.
   Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
-- `max_ttl` (`string: ""`) – Specifies the maximum TTL for service principals generated using this role. Accepts time
-  suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
-- `explicit_max_ttl` (`string: ""`) – Specifies the explicit maximum lifetime of the lease and service principal.
-  If not set or set to 0, will use the system default (10 years).
+- `max_ttl` (`string: "0"`) – Specifies the maximum TTL for service principals
+  generated using the role. Accepts time suffixed strings ("1h") or an integer
+  number of seconds. The default (`0`) defers to the system/engine max TTL time.
+- `explicit_max_ttl` (`string: "0"`) – Limits the lifetime of the service
+  principal secret in Azure and sets an upper bound on the TTL for the
+  corresponding lease. You cannot update the service principle lifetime of an
+  existing lease and clients cannot renew a lease once the lifetime expires.
+  Use the default (`0`) to create the service principal with a max TTL of 10
+  years. When the lifetime ends, Vault deletes the service principal and all
+  corresponding leases.
 - `permanently_delete` (`bool: false`) - Specifies whether to permanently delete Applications and Service Principals that are dynamically
   created by Vault. If `application_object_id` is present, `permanently_delete` must be `false`.
 - `sign_in_audience` (`string: ""`) - Specifies the security principal types that are allowed to sign in to the application.
@@ -257,6 +263,63 @@ $ curl \
     https://127.0.0.1:8200/v1/azure/roles/my-role
 ```
 
+## Read role
+
+The Read Role endpoint returns information about the named role:
+
+- Configuration details for roles created in Vault 1.20+.
+- The constant `invalid_data` for roles created in earlier versions of Vault.
+- A `404` error if the named role does not exist.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/azure/roles/:name` |
+
+
+### Path parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to read. This
+  is part of the request URL.
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/azure/roles/example-role
+```
+
+### Sample response
+
+```json
+{
+  "data": {
+    "application_object_id": "",
+    "azure_groups": null,
+    "azure_roles": [
+      {
+        "role_name": "Contributor",
+        "scope": "/subscriptions/<uuid>>/resourceGroups/Website"
+      },
+      {
+        "role_id": "/subscriptions/<uuid>>/providers/Microsoft.Authorization/roleDefinitions/<uuid>",
+        "scope": "/subscriptions/<uuid>"
+      }
+    ],
+    "ttl": 3600,
+    "max_ttl": 0,
+    "explicit_max_ttl": 0,
+    "permanently_delete": false,
+    "persist_app": false,
+    "sign_in_audience": "AzureADMyOrg",
+    "tags": [
+      "team:engineering",
+      "team:development"
+    ],
+  }
+}
+```
+
 ## List roles
 
 Lists all of the roles that are registered with the plugin.