- Create, manage and import secrets, keys, and certificates for applications, services and users.
- When deploying resources using Arm templates and automating that deployment, it is best practice to use a Service Principal.
- In on-prem AD it was called: Active Directory Service Account
- The premium tier allows storage of these secrets in a Hardware Security Module, a physical device to contain all your secrets.
- Flow:
- Administrator creates & manages vaults and keys.
- Can be created by any contributor/owner.
- Sends URIs to developers.
- Security administrators uses usage logging for keys.
- Administrator creates & manages vaults and keys.
- Dev/test keys can be migrated to production use at deployment.
- Key Vault Use in ARM Templates
- Embedding credentials and passwords inside a template are unwise.
- To further secure the deployment, it is advised to create an Azure Service Principal.
- With key vaults the value is never exposed because you only reference its key vault ID.
- Use in ARM templates
- Set the enabledForTemplateDeployment property to true when you create the Key Vault.
- Create secret to be used in template
- Ensure template can access Key vault
- Ensure the service principal, user or template has the Microsoft.KeyVault/vaults/deploy/action permission for the correct Key Vault
- The Contributor built-in role already has this permission.
- Reference the secret using a static ID in the template parameter file.
- ❗ Challenge: Sometimes the Key Vault secret will change from deployment to deployment
- It this requires the use of a dynamic ID reference.
- It cannot go in the parameter file.
- 💡 Solution: Nested template where key is also deployed.
- Key Vault Use in ARM Templates