Securely Managing Secrets in Azure with Azure Key Vault: Integrating with Azure Services

Image from Microsoft Learn

Azure Key Vault is a cloud service provided by Microsoft Azure that securely stores cryptographic keys, certificates, and secrets used in cloud applications and services. It helps to safeguard cryptographic keys and other secrets used by cloud applications and services, and also helps to ensure that the secrets are only accessible to authorized users and applications.

In this article, we will cover the key features of Azure Key Vault, how to create and configure a Key Vault, and how to use it to securely store secrets.

Key Features of Azure Key Vault:

1. Secure Key Management: Azure Key Vault provides a highly secure way to manage keys, certificates, and secrets. It uses industry-standard security protocols and algorithms to ensure that the keys and secrets are protected from unauthorized access.
2. Flexible Key Storage: Key Vault allows you to store keys and secrets in a variety of formats, including RSA and Elliptic Curve keys, X.509 certificates, and passwords.
3. Access Control: Key Vault provides a granular access control system that enables you to manage access to keys and secrets based on roles and permissions.
4. Key Rotation: Key Vault supports key rotation, which means you can periodically replace old keys with new ones to enhance security.
5. Auditing: Key Vault provides detailed audit logs that enable you to track who accessed which key or secret and when.

Creating and Configuring a Key Vault:

To create a Key Vault in Azure, follow these steps:

1. Log in to the Azure portal and select Key Vaults from the left-hand menu.
2. Click on Add to create a new Key Vault.
3. Fill in the required details such as Name, Subscription, Resource group, Region, and Access policies.
4. Select the Key Vault type: Standard or Premium.
5. Click on Review + Create, and then Create to create the Key Vault.

Once the Key Vault is created, you can configure it by setting up access policies, enabling soft delete, and configuring key rotation.

Using Key Vault to Store Secrets:

Now that we have created and configured a Key Vault, let’s see how we can use it to store secrets.

I. Create a Secret: To create a secret in the Key Vault, go to the Secrets tab and click on the + Generate/Import button. Enter the Name and Value for the secret, and then click on Create.

II. Retrieve a Secret: To retrieve a secret, you can use the Azure Key Vault REST API or SDKs for different programming languages. For example, using the Azure CLI, you can retrieve a secret by running the following command:

az keyvault secret show --vault-name <your-key-vault-name> --name <your-secret-name>

III. Use Secrets in Applications: Once you have retrieved the secret, you can use it in your application by passing it as a parameter or using it to authenticate with other services.

Integrating Azure Key Vault with Azure Services:

Now that we have our Azure Key Vault, we can start integrating it with other Azure services. In this section, we will explore how to integrate Azure Key Vault with the following Azure services:

A. Azure App Service
B. Azure Functions
C. Azure Virtual Machines
D. Azure Kubernetes Service

A. Azure App Service

Azure App Service is a fully managed platform for building, deploying, and scaling web applications. To integrate Azure Key Vault with Azure App Service, follow these steps:

1. Go to your Azure App Service and select “Configuration” from the left-hand menu.
2. In the “Application settings” tab, click the “New application setting” button.
3. Enter the name of the secret you want to retrieve from your Key Vault and the Key Vault URL as the value.
4. Save your settings.

Now, your application can retrieve the secret from your Key Vault at runtime.

Example:

Suppose we want to retrieve the connection string for our Azure SQL Database from Azure Key Vault. Here’s how we can do it:

1. Open the Azure portal and go to your Key Vault.
2. Click the “Secrets” tab and select “Generate/Import”.
3. Enter a name for your secret and the connection string as the value.
4. Click “Create” to create your secret.

Next, we need to add the connection string to our Azure App Service configuration:

1. Go to your Azure App Service and select “Configuration” from the left-hand menu.
2. In the “Application settings” tab, click the “New application setting” button.
3. Enter “SqlConnectionString” as the name and the URL of your Key Vault secret as the value (e.g., “@Microsoft.KeyVault(SecretUri=https://yourkeyvault.vault.azure.net/secrets/yoursecretname/yoursecretversion)").
4. Save your settings.

Now, you can retrieve the connection string from your Key Vault using the following code in your application:

string connectionString = Environment.GetEnvironmentVariable("SqlConnectionString");

B. Azure Functions

Azure Functions is a serverless compute service that enables you to run code on demand without having to manage infrastructure. To integrate Azure Key Vault with Azure Functions, follow these steps:

1. Create a new Azure Function and select the appropriate runtime and trigger.
2. In the Function App Settings, go to the “Configuration” tab and click the “New application setting” button.
3. Enter the name of the secret you want to retrieve from your Key Vault and the Key Vault URL as the value.
4. Save your settings.

Now, your Azure Function can retrieve the secret from your Key Vault at runtime.

Example:

Suppose we want to retrieve the connection string for our Azure Storage account from Azure Key Vault. Here’s how we can do it:

1. Open the Azure portal and go to your Key Vault.
2. Click the “Secrets” tab and select “Generate/Import”.
3. Enter a name for your secret and the connection string as the value.
4. Click “Create” to create your secret.

Next, we need to add the connection string to our Azure Function configuration:

1. Create a new Azure Function and select the appropriate runtime and trigger.
2. In the Function App Settings, go to the “Configuration” tab and click the “New application setting” button.
3. Enter “StorageConnectionString” as the name and the URL of your Key Vault secret as the value (e.g., “@Microsoft.KeyVault(SecretUri=https://yourkeyvault.vault.azure.net/secrets/yoursecretname/yoursecretversion)").
4. Save your settings.

Now, you can retrieve the connection string from your Key Vault using the following code in your Azure Function:

string connectionString = Environment.GetEnvironmentVariable("StorageConnectionString");

Another way to integrate KeyVault is to use Azure SDK, following are the steps:

1. Create a new Azure Functions app or select an existing one.
2. In your Key Vault access policies, add the Azure Functions system-assigned identity with the appropriate permissions.
3. In your Azure Function code, retrieve the secrets from Key Vault using the Azure SDK.

Example:

Suppose we want to retrieve the database connection string for our Azure Function from Azure Key Vault and use it in our code. Here’s how we can do it:

1. Open the Azure portal and go to your Key Vault.
2. Click the “Secrets” tab and select “Generate/Import”.
3. Enter a name for your secret and the database connection string as the value.
4. Click “Create” to create your secret.

Next, we need to add the Azure Functions system-assigned identity to our Key Vault access policies:

1. Go to your Key Vault and select “Access policies” from the left-hand menu.
2. Click the “+ Add Access Policy” button.
3. Select the “Secret Management” permission and select the Azure Functions system-assigned identity from the list of available identities.
4. Save your settings.

Now, we can retrieve the connection string from our Key Vault in our Azure Function code:

#  "Microsoft.Azure.KeyVault"
#  "Microsoft.Azure.Services.AppAuthentication"

using System.Threading.Tasks;
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;

public static async Task<string> GetSecretFromKeyVault(string secretName)
{
    var azureServiceTokenProvider = new AzureServiceTokenProvider();
    var keyVaultClient = new KeyVaultClient(
        new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

    var secret = await keyVaultClient.GetSecretAsync("https://yourkeyvault.vault.azure.net/secrets/" + secretName)
        .ConfigureAwait(false);

    return secret.Value;
}

In this example, we use the Azure SDK to authenticate with Azure Active Directory and retrieve the secret from our Key Vault. We can then use the connection string in our Azure Function code.

C. Azure Virtual Machines

Azure Virtual Machines is a cloud-based service that enables you to deploy and run virtual machines in Azure. To integrate Azure Key Vault with Azure Virtual Machines, follow these steps:

1. Create a new Azure Virtual Machine or select an existing one.
2. Go to the “Identity” tab and enable system-assigned managed identity.
3. In your Key Vault access policies, add the Virtual Machine’s managed identity with the appropriate permissions.
4. In the Virtual Machine’s PowerShell or CLI, install the Azure PowerShell or CLI modules and authenticate with your Azure credentials.
5. Use the Azure PowerShell or CLI to retrieve the secret from your Key Vault and store it as an environment variable.

Example:

Suppose we want to retrieve the password for our Azure SQL Database from Azure Key Vault and use it in our Virtual Machine. Here’s how we can do it:

1. Open the Azure portal and go to your Key Vault.
2. Click the “Secrets” tab and select “Generate/Import”.
3. Enter a name for your secret and the password as the value.
4. Click “Create” to create your secret.

Next, we need to add the Virtual Machine’s managed identity to our Key Vault access policies:

1. Go to your Key Vault and select “Access policies” from the left-hand menu.
2. Click the “+ Add Access Policy” button.
3. Select the “Secret Management” permission and select the Virtual Machine’s managed identity from the list of available identities.
4. Save your settings.

Now, we can use the Azure PowerShell or CLI to retrieve the password from our Key Vault and store it as an environment variable in our Virtual Machine:

$password = (Get-AzKeyVaultSecret -VaultName yourkeyvault -Name yoursecretname).SecretValueText
[System.Environment]::SetEnvironmentVariable("SqlPassword", $password, "Machine")

In this example, we use the Get-AzKeyVaultSecret command to retrieve the password from our Key Vault and store it as a PowerShell variable. We then use the System.Environment class to set the variable as an environment variable in our Virtual Machine with the “Machine” scope. This will make the variable available to all users on the machine.

D. Azure Kubernetes Service

Azure Kubernetes Service (AKS) is a fully managed Kubernetes container orchestration service. To integrate Azure Key Vault with AKS, follow these steps:

1. Create a new Azure Kubernetes Service cluster or select an existing one.
2. In your Key Vault access policies, add the AKS-managed identity with the appropriate permissions.
3. Create a Kubernetes Secret with the data from your Key Vault secret.
4. Mount the Kubernetes Secret as a volume in your container.

Example:

Suppose we want to retrieve the database connection string for our application from Azure Key Vault and use it in our AKS cluster. Here’s how we can do it:

1. Open the Azure portal and go to your Key Vault.
2. Click the “Secrets” tab and select “Generate/Import”.
3. Enter a name for your secret and the database connection string as the value.
4. Click “Create” to create your secret.

Next, we need to add the AKS-managed identity to our Key Vault access policies:

1. Go to your Key Vault and select “Access policies” from the left-hand menu.
2. Click the “+ Add Access Policy” button.
3. Select the “Secret Management” permission and select the AKS-managed identity from the list of available identities.
4. Save your settings.

Now, we can create a Kubernetes Secret with the data from our Key Vault secret:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  connection-string: {{ printf "%s" (base64.StdEncoding.EncodeToString ([]byte (Get-AzKeyVaultSecret -VaultName yourkeyvault -Name yoursecretname).SecretValueText))) }}

In this example, we use the Get-AzKeyVaultSecret command to retrieve the connection string from our Key Vault and encode it as a base64 string. We then use the Kubernetes Secret object to store the encoded string as a data field.

Finally, we can mount the Kubernetes Secret as a volume in our container and use the connection string in our application:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-container
        image: my-image
        volumeMounts:
        - name: my-secret
          mountPath: /etc/my-app
          readOnly: true
      volumes:
      - name: my-secret
        secret:
          secretName: my-secret

In this example, we use the Kubernetes Deployment object to define our application container and mount the Kubernetes Secret as a volume at “/etc/my-app”. We can then use the connection string in our application by reading the contents of the file at “/etc/my-app/connection-string”.

Conclusion:

Azure Key Vault is a powerful tool for securely managing cryptographic keys, certificates, and secrets used by cloud applications and services. It provides a highly secure way to store and manage secrets, and enables you to track access to them using detailed audit logs. By following the steps outlined in this article, you can easily create and configure a Key Vault, and use it to store secrets in your cloud applications and services.