Azure Series Part 6: Store and manage secrets by using Azure Key Vault

Azure Key Vault is a centralized cloud service for storing an application’s secrets in a single, central location.

It provides secure access to sensitive information by providing access control and logging capabilities.

Purpose of Azure Key Vaults

  • Manage secrets: You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
  • Manage encryption keys: You can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys that are used to encrypt your data.
  • Manage SSL/TLS certificates: Key Vault enables you to provision, manage, and deploy your public and private Secure Sockets Layer / Transport Layer Security (SSL/TLS) certificates for both your Azure resources and your internal resources.
  • Store secrets backed by hardware security modules (HSMs): These secrets and keys can be protected either by software or by FIPS 140-2 Level 2 validated HSMs.

Benefits

  1. Centralized application secrets
  2. Securely stored secrets and keys
  3. Access monitoring and access control
  4. Simplified administration of application secrets
  5. Integration with other Azure services

Let us see how we can manage a password in Azure Key Vault through Azure Portal

Let us first create a key vault

Step 1: Go to the Azure portal.

Step 2: On the Azure portal menu, or from the Home page, select Create a resource.

Step 3: From the search bar, enter Key Vault, and then select Key Vault from the results.

Step 4: On the Key Vault panel, select Create. The Create key vault panel appears.

Step 5: On the Basics tab, fill in the following values for each setting.

Step 6: Select Review + create, and then select Create.

Wait for the creation process to finish.

Step 7: Select Go to resource.

Note some of the details about your key vault. For example, the Vault URI field shows the URI that your application can use to access your vault from the REST API.

On the left nav bar, under the Settings section, examine some of the other features.

Although they’re initially empty, here you’ll find places where you can store keys, secrets, and certificates.

Step 9: Add a password to the key vault

On the left nav bar, under Settings, select Secrets. Your Key vault panel appears.

From the top menu bar, select Generate/Import. The Create a secret panel appears.

Step 10: Fill in the details and click create

  1. From your Key Vault/Secrets panel, select MyPassword. The MyPassword/Versions panel appears. You see that the current version is enabled.
  2. Select the current version. The Secret Version panel appears.

Click on the secret name (mypassword in our case) and see the details and actual value. Note: only admins can see the actual value.

Step 10: Add a keys to the key vault

Similar to secret we can also add keys to the Azure Key Vault.

So this how we can manage Keys and Secrets in Azure Key Vault through Azure Portal.

Let us see how we can create a passwords and screts in Azure Key Vault through Azure ARM templates

Use the below template.json file

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "name": {
            "type": "string"
        },
        "location": {
            "type": "string"
        },
        "sku": {
            "type": "string"
        },
        "accessPolicies": {
            "type": "array"
        },
        "tenant": {
            "type": "string"
        },
        "enabledForDeployment": {
            "type": "bool"
        },
        "enabledForTemplateDeployment": {
            "type": "bool"
        },
        "enabledForDiskEncryption": {
            "type": "bool"
        },
        "enableRbacAuthorization": {
            "type": "bool"
        },
        "enableSoftDelete": {
            "type": "bool"
        },
        "softDeleteRetentionInDays": {
            "type": "int"
        },
        "networkAcls": {
            "type": "object"
        }
    },
    "variables": {},
    "resources": [
        {
            "apiVersion": "2018-02-14",
            "name": "[parameters('name')]",
            "location": "[parameters('location')]",
            "type": "Microsoft.KeyVault/vaults",
            "properties": {
                "enabledForDeployment": "[parameters('enabledForDeployment')]",
                "enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
                "enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]",
                "enableRbacAuthorization": "[parameters('enableRbacAuthorization')]",
                "accessPolicies": "[parameters('accessPolicies')]",
                "tenantId": "[parameters('tenant')]",
                "sku": {
                    "name": "[parameters('sku')]",
                    "family": "A"
                },
                "enableSoftDelete": "[parameters('enableSoftDelete')]",
                "softDeleteRetentionInDays": "[parameters('softDeleteRetentionInDays')]",
                "networkAcls": "[parameters('networkAcls')]"
            },
            "tags": {
                "Blog": "TheWebSpark"
            },
            "dependsOn": []
        }
    ],
    "outputs": {}
}

Use the below parameters.json file

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "name": {
            "value": "thewebspark-keyvault"
        },
        "location": {
            "value": "eastus"
        },
        "sku": {
            "value": "Standard"
        },
        "accessPolicies": {
            "value": [
                {
                    "objectId": "631df7ec-8155-43f5-b353-61d7c5b341e6",
                    "tenantId": "604c1504-c6a3-4080-81aa-b33091104187",
                    "permissions": {
                        "keys": [
                            "Get",
                            "List",
                            "Update",
                            "Create",
                            "Import",
                            "Delete",
                            "Recover",
                            "Backup",
                            "Restore"
                        ],
                        "secrets": [
                            "Get",
                            "List",
                            "Set",
                            "Delete",
                            "Recover",
                            "Backup",
                            "Restore"
                        ],
                        "certificates": [
                            "Get",
                            "List",
                            "Update",
                            "Create",
                            "Import",
                            "Delete",
                            "Recover",
                            "Backup",
                            "Restore",
                            "ManageContacts",
                            "ManageIssuers",
                            "GetIssuers",
                            "ListIssuers",
                            "SetIssuers",
                            "DeleteIssuers"
                        ]
                    },
                    "applicationId": ""
                }
            ]
        },
        "tenant": {
            "value": "604c1504-c6a3-4080-81aa-b33091104187"
        },
        "enabledForDeployment": {
            "value": false
        },
        "enabledForTemplateDeployment": {
            "value": false
        },
        "enabledForDiskEncryption": {
            "value": false
        },
        "enableRbacAuthorization": {
            "value": false
        },
        "enableSoftDelete": {
            "value": true
        },
        "softDeleteRetentionInDays": {
            "value": 90
        },
        "networkAcls": {
            "value": {
                "defaultAction": "allow",
                "bypass": "AzureServices",
                "ipRules": [],
                "virtualNetworkRules": []
            }
        }
    }
}

How to deploy the above ARM template via AZ-CLI, use below command

az deployment group create --resource-group thewebsparkrg \
    --template-file template.json --parameters parameters.json

Create a passwords and screts in Azure Key Vault through Azure CLI

Use below command to directly create a password in Azure Key Vault through AZ-CLI command

az keyvault secret show \
  --name mypassword \
  --vault-name $(az keyvault list --query [0].name --output tsv) \
  --query value \
  --output tsv

So this is it. Hope you all liked this post and learned something about Azure Key Vault. More to come in next part of Azure Series!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s