[DOCS] Add GUI for Azure/AWS/GCP Secret Engines configuration (#29647)

* wip

* finish azure docs

* some fixes

* get role heading to where it was

* Apply suggestions from code review

Co-authored-by: Sarah Chavis <[email protected]>

* Update website/content/docs/secrets/azure.mdx

Co-authored-by: Sarah Chavis <[email protected]>

* pr comments

* add aws

* gcp configuration

* fix formatting

* remove indents for parser

* formatting fixed?

* Update website/content/docs/secrets/gcp.mdx

Co-authored-by: Sarah Chavis <[email protected]>

* Apply suggestions from code review

Co-authored-by: Sarah Chavis <[email protected]>

* try again

* might be the end of me

* tried running npm run format and got some promising results

* missed

* this should work

* numbering fixes

* Apply suggestions from code review

add group="gui"

Co-authored-by: Sarah Chavis <[email protected]>

* Update azure.mdx

change heading to match

---------

Co-authored-by: Sarah Chavis <[email protected]>

Author: Monkeychip

website/content/docs/secrets/aws.mdx

@@ -53,68 +53,143 @@ Most secrets engines must be configured in advance before they can perform their
 functions. These steps are usually completed by an operator or configuration
 management tool.
 
-1.  Enable the AWS secrets engine:
+Enable the AWS secrets engine:
 
-    ```text
-    $ vault secrets enable aws
-    Success! Enabled the aws secrets engine at: aws/
-    ```
+<Tabs>
 
-    By default, the secrets engine will mount at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
+<Tab heading="CLI"  group="cli">
 
-1.  Configure the credentials that Vault uses to communicate with AWS to generate
-    the IAM credentials:
+```shell-session
+$ vault secrets enable gcp
+Success! Enabled the gcp secrets engine at: gcp/
+```
 
-    ```text
-    $ vault write aws/config/root \
-        access_key=AKIAJWVN5Z4FOFT7NLNA \
-        secret_key=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 \
-        region=us-east-1
-    ```
+By default, the secrets engine will mount at the name of the engine. To
+enable the secrets engine at a different path, use the `-path` argument.
 
-    Internally, Vault will connect to AWS using these credentials. As such,
-    these credentials must be a superset of any policies which might be granted
-    on IAM credentials. Since Vault uses the official AWS SDK, it will use the
-    specified credentials. You can also specify the credentials via the standard
-    AWS environment credentials, shared file credentials, or IAM role/ECS task
-    credentials. (Note that you can't authorize vault with IAM role credentials if you plan
-    on using STS Federation Tokens, since the temporary security credentials
-    associated with the role are not authorized to use GetFederationToken.)
-
-    In some cases, you cannot set sensitive IAM security credentials in your
-    Vault configuration. For example, your organization may require that all
-    security credentials are short-lived or explicitly tied to a machine identity.
-    
-    To provide IAM security credentials to Vault, we recommend using Vault
-    [plugin workload identity federation](#plugin-workload-identity-federation-wif)
-    (WIF).
-
-    ~> **Notice:** Even though the path above is `aws/config/root`, do not use
-    your AWS root account credentials. Instead, generate a dedicated user or
-    role.
-
-1.  Alternatively, configure the audience claim value and the role ARN to assume for plugin workload identity federation:
+</Tab>
 
-    ```text
-    $ vault write aws/config/root \
-        identity_token_audience="<TOKEN AUDIENCE>" \
-        role_arn="<AWS ROLE ARN>"
-    ```
+<Tab heading="GUI"  group="gui">
+
+![Partial screenshot of the Vault GUI showing the "Identity token key" search select input](/img/gui/aws/identityTokenKey.png)
+
+You must have `list` permission on the `identity/oidc/key` endpoint to view
+existing workload identity federation (WIF) identity token keys during setup.
+
+1. Open the web UI for your Vault instance.
+1. Login under the target namespace or choose the target namespace from the
+   selector at the bottom of the left-hand menu and re-authenticate.
+1. Select **Secrets Engines** from the left-hand menu.
+1. Click **Enable new engine +** on the **Secrets Engines** page.
+1. Select **AWS**.
+1. Click **Next**.
+1. Set the mount path for the AWS plugin. For example, `aws`.
+1. If you use WIF, add the identity token key:
+   - Click **Method Options**.
+   - Click **Identity Token Key**.
+   - Enter your new key name or select one from the token key list.
+1. Click **Enable engine**.
+1. Click **Save** to enable the plugin.
+
+</Tab>
+
+</Tabs>
+
+Configure the credentials that Vault uses to communicate with AWS to generate the IAM credentials:
+
+<Tabs>
+
+<Tab heading="CLI"  group="cli">
+
+```shell-session
+$ vault write aws/config/root \
+    access_key=AKIAJWVN5Z4FOFT7NLNA \
+    secret_key=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 \
+    region=us-east-1
+```
+
+</Tab>
+
+<Tab heading="GUI"  group="gui">
+
+![Partial screenshot of the Vault GUI showing the Configuration form](/img/gui/aws/configure.png)
+
+1. Open the web UI for your Vault instance.
+1. Login under the target namespace or choose the target namespace from the
+   selector at the bottom of the left-hand menu and re-authenticate.
+1. Select **Secrets Engines** from the left-hand menu.
+1. Select your `aws` plugin you want to update.
+1. Click **Configure**.
+1. Enter your configuration information.
+1. Set the access type <EnterpriseAlert inline="true" />
+1. Save your changes.
+
+</Tab>
+
+</Tabs>
+
+Internally, Vault will connect to AWS using these credentials. As such,
+these credentials must be a superset of any policies which might be granted
+on IAM credentials. Since Vault uses the official AWS SDK, it will use the
+specified credentials. You can also specify the credentials via the standard
+AWS environment credentials, shared file credentials, or IAM role/ECS task
+credentials. (Note that you can't authorize vault with IAM role credentials if you plan
+on using STS Federation Tokens, since the temporary security credentials
+associated with the role are not authorized to use GetFederationToken.)
+
+In some cases, you cannot set sensitive IAM security credentials in your
+Vault configuration. For example, your organization may require that all
+security credentials are short-lived or explicitly tied to a machine identity.
+
+To provide IAM security credentials to Vault, we recommend using Vault
+[plugin workload identity federation](#plugin-workload-identity-federation-wif)
+(WIF).
+
+~> **Notice:** Even though the path above is `aws/config/root`, do not use
+your AWS root account credentials. Instead, generate a dedicated user or
+role.
+
+Alternatively, configure the audience claim value and the role ARN to assume for plugin workload identity federation:
+
+<Tabs>
+
+<Tab heading="CLI"  group="cli">
+
+```shell-session
+$ vault write aws/config/root \
+    identity_token_audience="<TOKEN AUDIENCE>" \
+    role_arn="<AWS ROLE ARN>"
+```
+
+</Tab>
+
+<Tab heading="GUI"  group="gui">
+
+Select **Workload Identity Federation** for Access Type and enter the following information:
+![Partial screenshot of the Vault GUI showing the Configuration form with WIF access type selected](/img/gui/aws/configure-wif.png)
+
+- **Issuer URL**: The fully qualified and network-reachable issuer URL for the Vault plugin identity token issuer. For example, `https://vault.example.com/v1/identity/oidc/plugins`.
+- **Role ARN**: The ARN of the AWS IAM role to assume.
+- **Identity token audience**: The audience claim value for the plugin identity tokens. This value must match the allowed audiences configured for the target Federated Identity Credential.
+
+</Tab>
+
+</Tabs>
+
+## Role setup
+Vault's identity token provider will internally sign the plugin identity token JWT.
+Given a trust relationship is configured between Vault and AWS via
+Web Identity Federation, the secrets engine can exchange this identity token to obtain
+ephemeral STS credentials.
 
-    Vault's identity token provider will internally sign the plugin identity token JWT.
-    Given a trust relationship is configured between Vault and AWS via
-    Web Identity Federation, the secrets engine can exchange this identity token to obtain
-    ephemeral STS credentials.
-
-    ~> **Notice:** For this trust relationship to be established, AWS must have an
-    an [IAM OIDC identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)
-    configured with information about the fully qualified and network-reachable
-    Issuer URL for Vault's plugin [identity token provider](/vault/api-docs/secret/identity/tokens#read-plugin-identity-well-known-configurations).
-    This is to ensure that AWS can fetch the JWKS [public keys](/vault/api-docs/secret/identity/tokens#read-active-public-keys)
-    and verify the plugin identity token signature. To configure Vault's Issuer,
-    please refer to the Identity Tokens
-    [documentation](/vault/api-docs/secret/identity/tokens#configure-the-identity-tokens-backend)
+~> **Notice:** For this trust relationship to be established, AWS must have an
+an [IAM OIDC identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)
+configured with information about the fully qualified and network-reachable
+Issuer URL for Vault's plugin [identity token provider](/vault/api-docs/secret/identity/tokens#read-plugin-identity-well-known-configurations).
+This is to ensure that AWS can fetch the JWKS [public keys](/vault/api-docs/secret/identity/tokens#read-active-public-keys)
+and verify the plugin identity token signature. To configure Vault's Issuer,
+please refer to the Identity Tokens
+[documentation](/vault/api-docs/secret/identity/tokens#configure-the-identity-tokens-backend)
 
 1.  Configure a Vault role that maps to a set of permissions in AWS as well as an
     AWS credential type. When users generate credentials, they are generated