Grouping secrets in azure key-vault - azure

I am trying store secrets in azure vault. I used azure sdk apis and I can successfully store/retrieve using those. I wanted to know if it's possible to categorise/group set of secrets under same tag and store them in some path.
I want to group some secrets used by one service, store them in one storage path. The same way for other services is separate storage paths. I couldn't find any way of doing that. Is that possible in azure vault?

In short: no, this is not possible.
Also: you cannot get secrets and their values in a list. If you want to get a list, you'll only get a SecretItem array and you have to call GetSecret on each secret you want to get the actual value for.
You could, however, implement something like this yourself by defining a template for the name of the secret that incorporates the name of the thing you would like to group on. Something like this:
$"{serviceName}-secrets-{secretName}"
This way, you can filter the list to only hold the secrets for the service you want to get them for and get their values.

Related

Subscription-id, resourceGroupName and name of the App from inside the web-app PowerShell

I have an application hosted in Azure PAAS. The connection string for the application is stored under 'Configuration' -> 'Connection strings'
My application has a PowerShell instance. I want to iterate through all the Connection strings present under 'Configuration' -> 'Connection strings'
I have seen the Azure document. As my application itself is the app, can there be a way to skip the details like 'subscriptionId', 'resourceGroupName' and 'name'?
This will help to make the code more generic.
As my application itself is the app, can there be a way to skip the
details like 'subscriptionId', 'resourceGroupName' and 'name'?
AFAIK, Its not possible to acquire the connection strings using Rest API, or PowerShell of an Azure web application without providing Resource group name or subscription.
The MS DOCUMENT you have followed is to list the connection strings which is correct but we need to pass those credentials to achieve the same.
If my understanding is correct as its your own application and if its publicly hosted then anyone will not be able to get the resource group name, application name(If you are using custom domain) or subscription details.
Alternatively, we can use the Az cli by providing the resource group only :-
For more information please refer the below links:-
SO THREAD|Get the list of azure web app settings to be swapped using PowerShell
If you are going to use the REST API calls for your code, then the simple answer is just: No.
I think in all cases the answer is going to be no honestly..
You can't drop those unique IDs, because those are required parameters to retrieve the correct data.
If you want to make the code more generic, then you should write the code to retrieve the values for those parameters. Instead of hardcoding the values.
Your powershell code will always need to authenticate, or use a Managed Identity, and the identity used to authenticate will always have the subscriptionid as value in its object. As for the rest, well i think you get the gist of what im suggesting.

How safe/protect Azure service principal secret

My deploy task using PowerShell script, which use Service Principal for connection to Azure KeyVault for pull secret. Secret (password) store in PowerShell script's code as plain text. Maybe there is another solution how to minimize token viewing.
And also i use powershell inline mode (not separate script) with Azure DevOps Secret Variable in deploy task, but this solution difficult to support (script has several different operations, so you have to keep many versions of the script).
Script is store in Git repository, anyone who has access to it will be able to see the secret and gain access to other keys. Perhaps I don't understand this concept correctly, but if keys cannot be stored in the code, then what should I do?
I devops you can use variable groups and define that the variables is pulled directly from a selected keyvault (if the service principal you have selected have read/list access to the KV) LINK.
This means that you can define all secrets in keyvault, and they would be pulled before any tasks happens in your yaml. To be able to use them in the script you can define them as a env variable or parameter to your script and just reference $env:variable or just $variable, instead of having the secret hardcoded in your script.

Key Vault Reference Limit

While developing an ARM template to deploy multiple app services and want to use the key vault to host multiple secret, and we need to include 110 references in the template.
While doing a POC, there is an error message:
The deployment has specified too many Key Vault parameter references.
The maximum of Key Vault parameter references is '30'
Is it possible to go beyond 30?
Your first option should be to consider why you need so many secrets and how you can come up with a better strategy.
Failing that, on the quick and dirty, you can wrap multiple secrets in the a string.
E.g.:
MySecret: value1|value2|value3|value4|value5
They you can use the ARM Template functions to pull out the value you need.
Look in to the array and split functions.
Hopefully you can keep related secrets together and organise them neatly.

Best way to handle connection string and primar key for Azure Function when created with ARM template

What are best practices for :
managing app settings
including connection string-access key for other resources
inside/outside of the resource group?
Some of the examples utilize using listKeys function inside templates, but I'm wondering if there is better way of doing this, especially, when I need to include resource access keys outside of my subscription and resource group.
Also, the example utilizes concat functino, is there a way to retrieve the whole connectionstring-access key string from the resource directly? or maybe store them inside keyvault of external paramters file?
Thanks
Best Practice is to use the functions (list*, reference), here: https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions#resource-functions
They will work across subscriptions provided you have the full resourceId passed in.
For the other questions, it would help to see the code you're thinking about to provide advice...
In terms of managing app settings, I think it would depends on what type of settings you are referring, is it sensitive? Do you want it to be securely stored?
If the key is sensitive to your business requirement, then it wouldn't be suitable for having it directly in your function app in plaintext, what you could do is to use listkeys to retrieve keys while provisoning your keyvault and then get them in runtime from your function probably is better approach.

How do I create hierarchical data structures in Azure Key Vaults

I need a way to store hierarchical data in Azure Key Vaults so that I have a structure similar to:
AppName
/Prod
/Data
/Test
/Data
AppName2
/Prod
/Data
...
As far as I can tell I can only store a flat data structure. I am looking to be able to store data similar to Vault by HashiCorp which allows hierarchies.
For instance, in Vault by HashiCorp, I can get data using a 'path': "app/test/TestConnection" and I get the value at the endpoint of the path: TestConnection.
Any suggestion for alternatives would be fine or instruction on how to do what I need to do with Key Vault.
Thanks
Update
I tried some of the suggestions: MySettings--SomeSection--SecretThing, Multiple Vaults and neither works in the manner I need as described above. Not faulting the input but what I want to do just is not available in Key Vault.
#juunas Turns out that your suggestion may be the best solution. I only just discovered in another article that MySettings--SomeSection--Secret translates into something similar in .NET Core:
MySettings: {
SomeSection: "Secret"
}
Since my client wants to use Key Vault we are probably going to go with storing json structured data per a single secret per application.
Any other suggestions are welcome
Key Vault does not support hierarchies for secrets.
To emulate structure, you can do something similar what .NET Core does with its Key Vault configuration provider. You can specify a secret with a name like Settings--SomeCategory--SomeValue, and it'll correspond to the following JSON when loaded:
{
"Settings": {
"SomeCategory": {
"SomeValue": "value goes here"
}
}
}
So essentially you can use a separator to emulate the structure, similar also to how Azure Blob Storage emulates folders.
I would advice against mixing different environment secrets within the same key vault. Access cannot be restricted to some keys, as access is granted and denied on the Key Vault level only. You probably don't want the same persons/applications to be able to access all the different environments, but instead grant access to the production environment to a selected group of users and applications only, and vice versa.
As the Key Vault service by itself doesn't really cost anything, we at least have taken the approach to create one Key Vault per environment, i.e. dev, test and production. Within that key vault the secrets are "structured" by a prefix, i.e. AppName-Data and AppName2-Data. This gives the added benefit, that when moving from dev to test and to production, the references to the secrets don't need to be changed, as they have the same name in all the environments. Just the reference to the Key Vault needs to be changed, and all is set!

Resources