Does Azure Key Vault support dynamic secrets feature like Hashi Corp vault?
This feature is what required.
https://developer.hashicorp.com/vault/tutorials/db-credentials/database-secrets
This is what I could find about azure key vault.
https://learn.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation
There is no support for dynamic secrets/credentials in Key Vault and no plans to implement it in near future.
Key Vault Team
Related
I have an issue how to auto renew Service Principals secrets in Key Vault Azure?
In short - you can't.
Azure KeyVault only provides the option to auto rotate keys. This feature enables end-to-end zero-touch key rotation for Azure services data encryption with customer-managed key (CMK) stored in Azure Key Vault.
https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/
What you are trying to achieve is different. Azure AD Service principals are managed by Azure AD. So, you need some sort of automation which generates a new secret there and updates it in keyvault.
A better way (if possible) would be managed identity. Managed Identities can be used like service principals but a fully managed and the secrets are managed behind the scenes for you.
https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/
In the documentation of ARM templates resources types, there is no Microsoft.KeyVault/vaults/keys resource type.
This means that it is not possible to create a key in an Azure key vault by using arm templates.
I would like to know if this is actually intended for security reasons maybe, or just not supported yet.
I am experimenting with the new server side storage encryption with customer manager keys and I would like to create the following in a single template:
Key vault
Key in the key vault
Disk encryption set
Because create key operation is not exposed with the ARM Rest API. Only with the Key Vault Rest API. But ARM Templates only operate against ARM Rest Api.
Is it industry best practice to cache your ClientID, SecretId and/or Thumbprint to retrieve KeyVault secrets?
If possible is there a sample code for me to do it in C#?
All you need to secure it the secret and the thumbprint. Essentially anything that can be used to access the resource. If you really want to, you can secure the client ID as well, but I haven't heard of anyone suggesting this or recommending this.
Per the Keyvault Overview:
Azure Key Vault helps solve the following problems:
Secrets Management - Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets
Key Management - Azure Key Vault can also be used as a Key Management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data.
Certificate Management - Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.
Store secrets backed by Hardware Security Modules - The secrets and keys can be protected either by software or FIPS 140-2 Level 2 validates HSMs
I suggest reading through the referenced overview for keyvault and looking through the docs as well : https://learn.microsoft.com/en-us/azure/key-vault/key-vault-overview
Our application doesn't use keyvault until now. We are thinking of using Azure KeyVault to enforce security for keys, secrets and certificates. I read microsoft documentation on this Link. It's not clear that Azure KeyVault works with identity providers other than Azure AD. Because we are not using Azure AD but we are using Azure app service and storage account. we also want to implement key rotation with 1 hour expiry.
My questions are
Should the web app be registered with Azure AD to use KeyVault ?
While creating an azure keyvault i didn't see any option about key rotation. Am i looking in the wrong place?
Any sample code would be helpful.
When you create a key vault in an Azure subscription, it is automatically associated with the subscription's Azure Active Directory tenant. All callers (users and applications) must be registered in this tenant to access this key vault. That means to access the keys and secrets stored inside the key vault, the requesting applications have to be added in Azure active directory and it also needs to have permissions to read keys and secrets in azure key vault.
Related tutorials below are for your reference :
Get started with Azure Key Vault
How to set up Key Vault with end to end key rotation and auditing -
This walks through how to set up key rotation and auditing with Azure
Key Vault.
Azure Key Vault Developer's Guide
Use Azure Key Vault from a Web Application
I have an application I want to run in Azure that can use the KMIP protocol to communicate with key management servers. Does Azure Key Vault support KMIP? If so, were can I find the details?
Azure Key Vault does not have a KMIP interface.
Azure Key Vault has a REST interface, based heavily on the JSON Web Key standard. It is documented here: https://msdn.microsoft.com/en-us/library/azure/dn903609.aspx
Sumedh