I have an issue how to auto renew Service Principals secrets in Key Vault Azure?
In short - you can't.
Azure KeyVault only provides the option to auto rotate keys. This feature enables end-to-end zero-touch key rotation for Azure services data encryption with customer-managed key (CMK) stored in Azure Key Vault.
https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/
What you are trying to achieve is different. Azure AD Service principals are managed by Azure AD. So, you need some sort of automation which generates a new secret there and updates it in keyvault.
A better way (if possible) would be managed identity. Managed Identities can be used like service principals but a fully managed and the secrets are managed behind the scenes for you.
https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/
Related
Say if I have 2 different azure subscriptions individually and I create an azure vault and store a private key in it's HSM backed azure key vault container of the 1st subscription AND from different azure subscription I want to access the private key for signing an application..
Would that be possible?
In short, manage and store HSM backed key in one azure subscription and sign or validate an application with that private key from another azure subscription... is it possible?
Yes, It is possible when both the subscriptions are present on a Single tenant. So that you can assign required permissions on Management Plane and Data plane for the users or managed identities. As Managed HSM uses Azure AD authentication both the Subscriptions need to be in the same AzureAD tenant.
Reference:
Secure access to your managed HSMs Microsoft Documentation
Control Access to your managed HSM
is it possible to use Azure Key Vault for web app, which is hosted somewhere else? I'm looking for the most cost-effective way, how to do that, so ideally I would like to use really just the Key Vault. I can allow external IP in Key vault -> Networking, but I don't see any possibilities how to set up access policy for external web app in the Key vault -> Access Policies.
Any experiences or ideas how to do that?
Thanks!
but I don't see any possibilities how to set up access policy for
external web app in the Key vault -> Access Policies.
One possible way to accomplish this would be to create a Service Principal in your Azure AD and give it access to your Key Vault (under Access Policies). Then you would use this Service Principal in your "external" web app to connect to the Key Vault.
I have a custom activity that runs through and ADF pipeline, with an Azure Batch for the execution. The custom activity needs to access the Azure Key Vault, but I don't want to leave any secrets/keys coded in the custom activity.
How can I get the custom activity to use the service principal to access the Azure Key Vault? I have no problem coding access to the Azure Key Vault using the service principal credentials (appId and key), but I obviously don't want to leave a key in the code.
So the question is: How can an ADF Custom Activity, running in an Azure Batch, access the Azure Key Vault through a service principal?
Thanks!
This is similar to how to access Key Vault from a Azure Batch task. There are some ways to avoid hard-code the secrets in code. One is to use certificate which can be deployed to the Batch VM (https://samcogan.com/secure-credential-access-with-azure-batch-and-keyvault/), or you may use resource file (https://learn.microsoft.com/en-us/azure/batch/batch-dotnet-get-started#resourcefiles) to provide the secrets.
Our application doesn't use keyvault until now. We are thinking of using Azure KeyVault to enforce security for keys, secrets and certificates. I read microsoft documentation on this Link. It's not clear that Azure KeyVault works with identity providers other than Azure AD. Because we are not using Azure AD but we are using Azure app service and storage account. we also want to implement key rotation with 1 hour expiry.
My questions are
Should the web app be registered with Azure AD to use KeyVault ?
While creating an azure keyvault i didn't see any option about key rotation. Am i looking in the wrong place?
Any sample code would be helpful.
When you create a key vault in an Azure subscription, it is automatically associated with the subscription's Azure Active Directory tenant. All callers (users and applications) must be registered in this tenant to access this key vault. That means to access the keys and secrets stored inside the key vault, the requesting applications have to be added in Azure active directory and it also needs to have permissions to read keys and secrets in azure key vault.
Related tutorials below are for your reference :
Get started with Azure Key Vault
How to set up Key Vault with end to end key rotation and auditing -
This walks through how to set up key rotation and auditing with Azure
Key Vault.
Azure Key Vault Developer's Guide
Use Azure Key Vault from a Web Application
We have hosted our application on Azure WebAPP and wanted to use SSL on this. Should we use traditional way to attach this certification to Azure WebAPP or should we user Azure Key Vault. Since access to Azure WebAPP through RDP is not available and Azure is managing our WebAPP, can certification be compromised (if the Azure key vault is not used)?
I can understand its usage in case of VM, but on Azure, WebApp does it add any value.
Azure Web App doesn't rely on Azure Key Vault for any of its functionalities.
However, if you are using App Service Certificate, then you end up configuring Azure Key Vault for storing the secret. Other use cases are also there, but those are from an application perspective.