Enhance documentation for credential files and clarify SAPHanaSR provider task for SUSE

devanshjainms · devanshjainms · commit fd557f5db8e6 · 2025-06-16T17:41:10.000Z
diff --git a/docs/HIGH_AVAILABILITY.md b/docs/HIGH_AVAILABILITY.md
@@ -276,17 +276,35 @@ key_vault_id:                  /subscriptions/<subscription-id>/resourceGroups/<
 secret_id:                     https://<key-vault-name>.vault.azure.net/secrets/<secret-name>/<id>
 ```
 
-2.2.3. Credential Files
+2.2.3. **Credential Files** (Available locally)
 
 The required credential files depend on the authentication method used to connect to the SAP system:
 
-1. SSH Key Authentication: If connecting via SSH key, place the private key inside `WORKSPACE/SYSTEM/<DIRECTORY>` and name the file "ssh_key.ppk".
-1. Username and Password Authentication: If connecting using a username and password, create a password file by running the following command. It takes the username from hosts.yaml file. 
+1. **SSH Key Authentication**: If connecting via SSH key, place the private key inside `WORKSPACE/SYSTEM/<DIRECTORY>` and name the file "ssh_key.ppk".
+1. **Password Authentication**: If connecting using a username and password, create a password file by running the following command. It takes the username from hosts.yaml file. 
 
   ```bash
   echo "password" > WORKSPACES/SYSTEM/<DIRECTORY>/password
   ```
 
+2.2.4. **Credential Files** (From Azure Key Vault)
+
+When using Azure Key Vault to store credentials, the framework retrieves authentication details directly from the key vault using the configured managed identity.
+
+  **Authentication Methods:**
+
+  1. **SSH Key Authentication**: Store the private SSH key content in Azure Key Vault as a secret.
+  2. **Password Authentication**: Store the password in Azure Key Vault as a secret. The username is taken from the `hosts.yaml` file.
+
+  **Setup:**
+
+  1. Ensure the managed identity has "Key Vault Secrets User" role on the key vault.
+
+  2. Configure `key_vault_id` and `secret_id` parameters in `sap-parameters.yaml` as shown in section 2.2.2.
+
+  **Important**: When using Key Vault authentication, do NOT create local credential files (`ssh_key.ppk` or `password` files).
+
+
 ### 3. Test Execution
 
 To execute the script, run following command:
diff --git a/src/roles/ha_db_hana/tasks/primary-node-kill.yml b/src/roles/ha_db_hana/tasks/primary-node-kill.yml
@@ -59,7 +59,7 @@
               get_cluster_status_db:
                 operation_step:         "test_execution"
                 database_sid:           "{{ db_sid | lower }}"
-                saphanasr_provider:         "{{ saphanasr_provider | default('SAPHanaSR') }}"
+                saphanasr_provider:     "{{ saphanasr_provider | default('SAPHanaSR') }}"
               register:                 cluster_status_test_execution
               retries:                  "{{ default_retries }}"
               delay:                    "{{ default_delay }}"
diff --git a/src/roles/misc/tasks/get-saphanasr-provider.yml b/src/roles/misc/tasks/get-saphanasr-provider.yml
@@ -2,7 +2,7 @@
 # Licensed under the MIT License.
 
 # /*---------------------------------------------------------------------------
-# |                          Get SAPHanaSR Provider                          |
+# |                          Get SAPHanaSR Provider (on SUSE only)            |
 # +--------------------------------------------------------------------------*/
 
 - name:                               Get SAPHanaSR provider for SUSE
