Azure Key Vault is a cloud service that enables the secure storage and access of secrets and keys. Your Verifiable Credentials service stores public and private keys in Azure Key Vault. These keys are used to sign and verify credentials.
https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant
How can we find our Public and Private key for verifiable credentials?
I can see Recovery, Signing, and Update key in my Key Vault used for VC.
• Recovery, signing, and encrypting are various key management and cryptographic operations that are needed to be selected while creating an access policy for the said user selected thus limiting the scope of operations that can be performed by the keys, secrets and certificates issued by that user.
Similarly, the private key and the public key of the verifiable credential cannot be accessible by the ‘USER’ as the user has delegated that authority to the application registered in Azure AD with the permissions ‘VerifiableCredential.Create.All’ and this application registered in Azure AD has been granted API permission for the API Verifiable Credential Request Service. Thus, the private key is generated and is with the service principal of the Azure resource which issues a ‘Verifiable credential’ through the registered Azure AD application to create a key, secret, or a certificate in the Azure keyvault.
• While the public key is with the key, secret or certificate generated in the Azure key vault thus, completing the nexus of secure communication through the concerned application hosted. Thus, in this way, just based on RBAC (Role Based Access Control) and the ensuing access policy actions created in the key vault, you can create secure communication through the web app without exposing the private and the public keys.
For more information, kindly refer to the documentation link below: -
https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/verifiable-credentials-configure-issuer
Related
I'm used to use GCP's secret manager. There, we can create a secret and give a specific READ permission for one specific service account.
I mean, let's say we create a secret ABC and a service account "getsecretaccount", I can give the read permission for this SA called getsecretaccount to access the ABC secret. This getsecretaccount will not have access to any other secret there.
Can I achieve this scenario in Azure Key Vault?
Thx!!
Authorization
Key vault offer two different Authorizations: older Vault access policy and newer Azure role-based access control
Vault access policy
BrunoLucasAzure already explained how this works. Personally I don't recommend using vault access policy unless you have some specific reason to use it:
resource re-deployment will reset existing authorization defined in key vault properties. ref: https://learn.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults?pivots=deployment-language-bicep#resource-format
passing [] to accessPolicies will clear access policy list
passing null or not using accessPolicies in template will generate error
of course you can read value of accessPoliciesbefore re-deployment and then re-use existing value when re-deploying resource. TBH that kind of hacks should not be required by resource.
For more information: https://docs.microsoft.com/azure/key-vault/general/assign-access-policy-portal
Azure role-based access control
Azure role-based access control based key vault authorization uses Azure RBAC assignments for key vault data layer access control.
There is multiple ready-made RBAC roles for key vault data layer:
Key Vault Administrator
Key Vault Secrets Officer
Key Vault Secrets User
Key Vault Reader
etc
Documentation only mentions thins Azure RBAC for key vault also provides the ability to have separate permissions on individual keys, secrets, and certificates
=> you can add RBAC roles into individual key/secret/certificate
Note that key/secret/certificate must be created before you can add RBAC to it.
For more information: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli
The answer
You can use both methods:
if you use older vault access policy, you need to create one key vault per service principal
if you use RBAC based access control, you can manage access control on individual secret level
if you have 1 azure vault with multiple secrets and you create an access policy for a user and select permission like "get" and/or "list", that user will be able to see all secrets under that vault. no option for separated permission per individual secret
I have a web API hosted on Windows server via IIS. I'm using Azure Key Vault to hide secrets. In order to give the application access to the vault, I am using a certificate installed on the server, which is also registered with the application in Azure.
The certs thumbprint, the tenant ID, and the application ID are all exposed in the configuration file of the web API. The apps registration is granted access via policy in the key vault.
The issue is that the integration assistant in Azure is alerting me that I should not have a certificate set up inside the registration, but with no explanation as to why (the documentation is greyed out for alert).
Can this alert be safely ignored? Or is there a better way to grant my application vault access?
Edit - snip of integration assistant:
Can this alert be safely ignored?
In your particular scenario, I would say yes. You can safely ignore this message.
Essentially you need a user to access the key vault. Considering your application is running locally, you would use the Service Principal (created as part of the app registration) as a user to access the key vault.
Or is there a better way to grant my application vault access?
In your particular scenario (when your application is running locally), AFAIK no.
If your application were running in Azure, you could have used Managed Identity. It could be either System-assigned Managed Identity or User-assigned Managed Identity. With managed identity, you need not require a secret/certificate based authentication.
I am not sure if your API is protected by Azure AD (i.e. a user must be authenticated/authorized before using the API), but if it does then one alternative would be to grant users of your API access to Key Vault. Requests to Key Vault will then be sent in context of that user. This however will increase the management complexity considerably as you have to manage access control for all your API users.
I am trying to authenticate a local hadoop cluster to Azure using a service principal and certificate authentication. I have created a service principal, and put had the key vault create the certificate. I know how to get that information once I am authenticated, but I am trying to figure out how I would re-authenticate automatically once the certificate expires.
I've created a vault in Azure and gave it access to API management (registered app in AAD). I'm trying to not store any passwords in header while making API calls, but instead get them from the keyvault. Is there a way to do this? If yes how?
Been looking for days and haven't found something
Thanks
You need to use API Management Policy to get the job done (https://learn.microsoft.com/en-us/azure/api-management/api-management-policies).
The policy needs to be constructed to post HTTP request to Azure AD OAuth endpoint to receive access token (https://learn.microsoft.com/en-us/azure/api-management/api-management-transformation-policies#TransformationPolicies). Using access token you just need to call to Key Vault API and retrieve the secret (https://learn.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#SendRequest). That secret will be passed along in your header (set-header)
Sample to get access token: https://learn.microsoft.com/en-us/azure/api-management/policies/use-oauth2-for-authorization?toc=api-management/toc.json
Here is an end to end example of Azure API Management and Azure Key Vault, including how to setup authorization in Azure AD so APIM can read secrets, certificates, etc. from Key Vault.
https://github.com/kevinhillinger/azure-api-management-keyvault
The integration requires that a service principal is registered in the Azure AD tenant for the subscription that the Key Vault instance belongs to. Then we're going to authorize it to talk to key vault.
In the example provided, I am retrieving a certificate since this is the more "difficult" option.
Here is the flow for the integration of Azure Key Vault:
Get a minted token (bearer) from Azure AD (make sure the scope is properly set for Key Vault)
Get the response and set a variable with the token value
Send a request to Key Vault with Authorization header loaded up with the token
Get the certificate info
Fetch the entire PFX file in base64
Usually when you use key vault to encrypt and decrypt data you have to keep your AD registered app's (that has the authorization to access key vault) ClientID and ClientSecret in plain text somewhere. This seems like a security problem if someone steals the the ClientID and Secret anyone can claim they are the registered app.
Is there or can there be a more secure approach?
You can use a certificate to authenticate instead of a secret.
There are three things you need to do for this approach:
Create a certificate to use.
When creating the Active Directory application that you will use to access the Key Vault, you need to pass in the certificate you created in step 1. I don't think you can do this through the portal at the minute, so you'll need to use the New-AzureRMADApplication PowerShell command.
Use that certificate when authenticating to Key Vault. You'll need to use an overload of the AuthenticationContext.AcquireTokenAsync() method that receives a ClientAssertionCertificate to do that. You can create a ClientAssertionCertificate by simply passing the client id and the X509Certificate2.
From this blog post you can get some some code for the first two steps.
In addition to using certificate-based with KeyVault, Azure Managed Service Identity also introduces a new way to make an Azure service become a service principal without any client app registration and client secret. Currently it is only available in preview stage for some services: Azure VM, Azure App Service, Azure Function, Azure Event Hub & Azure Service Bus. More information can be found here https://learn.microsoft.com/en-us/azure/active-directory/msi-overview
[Update] When ever you need to retrieve something from KeyVault, with Azure MSI you don't need a client secret. Only use AzureServiceTokenProvider() method to retrieve access token
In real-world deployment with automation (for example via Ansible), you can use an external certificate to store sensitive variables in Ansibe Vault and generate a 256bit chain to secure such an info. During the automation deployment, the cert is decrypted to access to these variables and perform further deployment. This way adds more encryption layer to the whole Azure deployment.