8.1. Azure Key Vault.md

Azure Key Vault

• Secrets
  • Securely store secrets and passwords
  • Storing in code is not secure.
• Keys
  • Create and control encryption keys
  • E.g. for an encrypted storage integrated with e.g. Azure Storage
  • Each key can have activation & expiration date
  • Creating a key
    • Can generate & import or restore from a backup
• Certificates: Provision, manage and deploy public and private SSL/TLS certificates
• Controlled through:
  • Management plane
    • Manage Key Vault itself, e.g. create & delete vaults
    • Uses Azure Resource Manager role-based access control (RBAC)
  • Data plane
    • Working with key stored in the vault
    • Uses Key Vault access policy
• Using CLI:
  • Create: az keyvault create --name "Contoso-Vault2" --resource-group "ContosoResourceGroup" --location eastus
  • Add a secret: az keyvault secret set --vault-name "Contoso-Vault2" --name "ExamplePassword" --value "hVFkk965BuUv"
  • Show a secret: az keyvault secret show --name "ExamplePassword" --vault-name "Contoso-Vault2"

Access Policies

• On vault level

• Each policy has:

  • A principle: Can be a user or an application
  • Key permissions
    • Key Management Operations: Get, List, Update, Create, Import, Delete, Recover, Backup, Restore
    • Cryptographic Operations: Decrypt, encrypt, unwrap key, wrap key, verify, sign
    • Privileged Key Operations: Purge
  • Secret permissions
    • Secret Management Operations: Get, List, Update, Create, Import, Delete, Recover, Backup, Restore
    • Privileged Secret Operations: Purge
  • Certificate permissions
    • Certificate Management Operations: Get, List, Update, Create, Import, Delete, Recover, Backup, Restore, Manage Contacts, Manage Certificate Authorities, Get Certificate Authorities, List Certificate Authorities, Set Certificate Authorities, Delete Certificate Authorities
    • Privileged Certificate Operations: Purge

• 📝 Retrieve using PowerShell:

  • Key: $keyUrl = (Get-AzureKeyVaultKey -VaultName "testvault" -Name "keyname").Key.Kid
  • Secret: $secretText = (Get-AzureKeyVaultSecret -VaultName "testvault" -Name "secretname").SecretValueText

• 📝Reference it in an ARM template:

    {
      "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
          "adminLogin": {
            "value": "exampleadmin"
          },
          "adminPassword": {
            "reference": {
              "keyVault": {
              "id": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.KeyVault/vaults/<vault-name>"
              },
              "secretName": "ExamplePassword"
            }
          },
          "sqlServerName": {
            "value": "<your-server-name>"
          }
      }
    }

Authorize access

• Using RBAC
  1. Ensure entity to give access to user/application exists:
     • For application
       • Create service principal az ad sp create-for-rbac -n "http://mySP"
     • For users, you can add following to RBAC list of the vault:
       • Add individual users (not recommended)
       • 💡 Add AD groups (recommended)
  2. Then give your principal access to the vault:
     • az keyvault set-policy -n <your-unique-keyvault-name> --spn <ApplicationID-of-your-service-principal> --secret-permissions get list set delete --key-permissions create decrypt delete encrypt get list unwrapKey wrapKey
• Using managed identity
  1. In application => add system-assigned identity
     • E.g. for web-app: az webapp identity assign --name myApp --resource-group myResourceGroup
     • Or Identity section on portal.
  2. In key vault => Allow access:
     • az keyvault set-policy --name myKeyVault --object-id <PrincipalId> --secret-permissions get list