How To Retrieve a Secret From Azure Key Vault Node - node.js

I'm looking for a code sample which demonstrates how to connect to an azure key vault and grab a secret from the vault without having to store creds in plain text but instead using certificates and an SPN for authentication to the vault. Has anyone done anything like this before who is willing to shed some light on this?
I'm trying to securely retrieve credentials from azure without ever having to save creds locally, and this has proven to be harder than I originally thought.

yes you can use certificate based authentication while accessing Azure key vault.
Here is a very good article on the same using dot net.
Certificate base authentication
Alternatively Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them. Managed Service Identity (MSI) makes solving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having any credentials in your code.
Run the assign-identity command to create the identity for this application:
az webapp identity assign --name <app_name> --resource-group "<YourResourceGroupName>"
This command is the equivalent of going to the portal and switching Managed service identity to On in the web application properties.
Assign permissions to your application to read secrets from Key Vault
{
"principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"type": "SystemAssigned"
}
Then, run this command using the name of your Key Vault and the value of PrincipalId copied from above:
az keyvault set-policy --name '<YourKeyVaultName>' --object-id <PrincipalId> --secret-permissions get
Deploy the Node App to Azure and retrieve the secret value
Deploy your node js app ,After this when you browse https://.azurewebsites.net you can see the secret value. Make sure that you replaced the name with your vault name

Related

How to store connection string in Azure Vault and map it back to the configuration settings in Azure Web App?

I am using Azure Web App service. Currently, I am storing the plain connection string to the database, Azure storage in the Application Settings section in the configuration tab of the Web App Service.
Instead of storing the plain connection string in configuration. How can I store the connection string in Azure Vault, then reference it in the Application setting so that the plain connection string are not stored in the configuration settings?
There are two ways to reference Key Vault in Azure Web Apps. You can do a complete reference:
#Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)
Or you can use the alterative:
#Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)
In order to read secrets from Key Vault, you need to have a vault created and give your app permission to access it.
Create a key vault by following the Key Vault quickstart.
Create a managed identity for your application.
Key Vault references will use the app's system assigned identity by default, but you can specify a user-assigned identity.
Create an access policy in Key Vault for the application identity you created earlier. Enable the "Get" secret permission on this policy. Do not configure the "authorized application" or applicationId settings, as this is not compatible with a managed identity.
Full steps on setting this up:
https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references

Accessing managed secrets in Azure Key Vault with RBAC?

I have a Python script running on an Azure Virtual Machine which uploads a file into a file share in a storage account. The VM is given a user-assigned managed identity with the built-in 'Key Vault Secrets User' role.
I followed this tutorial to allow key vault to automatically manage the storage account access key as a secret. Therefore, it is a managed secret (not viewable through the portal but visible through the CLI). My Python app attempts to retrieve the access key from the vault and uses it to generate a SAS token with write permission to file shares. However, when I attempt to retrieve the secret from key vault, I get the following error:
azure.core.exceptions.HttpResponseError: (Forbidden) The user, group or application 'appid=xxx;iss=https://sts.windows.net/xxx/' does not have secrets get permission on key vault 'my-vault-name;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
I allowed access to the vault with the managed identity I created through the portal, and this was yesterday, so the change has definitely propagated okay. What is the issue with my process? Do I need to give the managed identity more permissions than just 'Key Vault Secrets User'?
Solved. I got confused and allowed access to the managed identity through IAM and not through the vault Access Policies.

Users of PowerApp can't get secret from azure key vault (through Power Automate)

For a azure keyvault connection in Power Automate I am using an app registration. Users of a PowerApp I made can't seem to get secrets from the azure key vault unless I give them access to the keyvault. I was hoping adding the users to the acces policies in the keyvault would be enough.
Is there a way to let users get secrets in a PowerApp (through Power Automate) without giving them full access to the keyvault?
I am trying to do something similar as this
You could grant them the "get" permission only on secrets:
az keyvault set-policy --name myvault --secret-permissions get --upn <user ID/email>
However, a better approach might be to run your application as a service principal (or have middleware service that does - really depends on why users need access to the secrets) and it contact Key Vault directly. That service principal should be given minimal rights - basically the same command as above, except using --spn instead of --upn.

Fetch value from Azure Key Vault reference (Managed identity)

I am trying to fetch secret values from azure key vault in Azure App Service.
My App Service has a managed identity
In the Azure Key vault, this managed identity is added under 'Role assignments' as 'Key vault contributor'
Also access policies has been added in azure key vault to give 'Get' permission to the AppServices's managed identity
Now in my c# code, I am trying to get the value of the AppSetting element using the code
ConfigurationManager.AppSettings['something'];
In my azure app service, under app settings, I have added the a key with name 'something' and it has the value pointing to the reference of the Key Vault as below:
#Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)
Now I am able to retrieve the value from the appsettings, but instead of the actual value, it is pulling the output as #Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/c96f02080254f109c51a1f1cdb1931)
I am expecting the output to be value that I have set, not the keyvault reference string itself.
I am using .Net MVC 4.7 web app
As junnas said, you just add webapp's MSI in key vault Access policy.
1.Turn on webapp System-assign managed identity.
2.Add the identity into keyvault Access policy with secret Get permission.
3.Add the reference of the Key Vault into webapp Application settings.
4.Use Environment.GetEnvironmentVariable("AppsettingName"); to get the secret vaule.
Here is the output:
Actually i figured out that even using ConfiguraionManager.AppSettings["keyname"] also works fine. In my case, i had done everything as listed above , but had enabled "Slot Deployment" option in Connection string configuration in App Service. Once i enabled, now i am able to access my key vault secrets.

How do I register my application locally created with one I created in Azure Active Directory?

I am following directions here for learning the AzureKeyVault config settings
Key Vault Configuration Provider sample application (ASP.NET Core 2.x)
This sample illustrates the use of the Azure Key Vault Configuration
Provider for ASP.NET Core 2.x. For the ASP.NET Core 1.x sample, see
Key Vault Configuration Provider sample application (ASP.NET Core
1.x).
For more information on how the sample works, see the Azure Key Vault
configuration provider topic.
Using the sample
Create a key vault and set up Azure Active Directory (Azure AD) for the application following the guidance in Get started with Azure Key
Vault.
Add secrets to the key vault using the AzureRM Key Vault PowerShell Module available from the
PowerShell
Gallery,
the Azure Key Vault REST API, or the Azure
Portal. Secrets are created as either
Manual or Certificate secrets. Certificate secrets are certificates for use by apps and services but are not supported by the
configuration provider. You should use the Manual option to create
name-value pair secrets for use with the configuration provider.
Simple secrets are created as name-value pairs. Azure Key Vault secret names are limited to alphanumeric characters and dashes.
Hierarchical values (configuration sections) use -- (two dashes) as a separator in the sample. Colons, which are normally used
to delimit a section from a subkey in ASP.NET Core
configuration, aren't allowed
in secret names. Therefore, two dashes are used and swapped for a
colon when the secrets are loaded into the app's configuration.
Create two Manual secrets with the following name-value pairs. The first secret is a simple name and value, and the second
secret creates a secret value with a section and subkey in the secret
name:
SecretName: secret_value_1
Section--SecretName: secret_value_2
Register the sample app with Azure Active Directory.
Authorize the app to
access the key vault. When you use the
Set-AzureRmKeyVaultAccessPolicy PowerShell cmdlet to authorize the
app to access the key vault, provide List and Get access to
secrets with -PermissionsToSecrets list,get.
Update the app's appsettings.json file with the values of Vault, ClientId, and ClientSecret.
Run the sample app, which obtains its configuration values from IConfigurationRoot with the same name as the secret name. *
Non-hierarchical values: The value for SecretName is obtained with
config["SecretName"]. * Hierarchical values (sections): Use :
(colon) notation or the GetSection extension method. Use either of
these approaches to obtain the configuration value:
config["Section:SecretName"]
config.GetSection("Section")["SecretName"]
Okay so I have copied the name of my application into Azure Active Directory as an 'Enterprise Application'. And I have added 'Access policies' for 'get' and 'list' in Azure for my ADD object I just created. Yet I get this error in the program when attempting to start the application:
Exception: {"error":"unauthorized_client","error_description":"AADSTS70001:
Application with identifier '(guid)' was not found in the directory ...(continues)
Update 8-4-18
Okay I found out that Azure uses the 'ClientId' and 'ClientSecret' in the local appsettings.json to connect to what Azure registers in this tutorial: https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal#log-in-as-the-application
I get the clientId in appsettings.json from the applicationId on ADD I create with ADD>App Registrations>New
I click settings in ADD on the app I just created and create a key with an expiration to store as ClientSecret in appsettings.json.
I change my 'Vault' in appsettings to my named vault.
I run the powershell above to give access or else do it in ADD.
So now I am getting a simpler error:
'Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: 'Access denied''
I have tried running as Administrator in Visual Studio. I went under Subscriptions in Azure>Access Control>(IAM)>set my new apps to Reader.
So the reason your powershell is failing is because you are trying to assign a User Principal - a user - when actually you want a Service Principal.
I can’t see your C# to support more there than saying when you use the SDK to log in as the Service Principal you use the application id of the Application/Service Principal (its the same id).
The service principal acts like a user in the local directory but you log in as the application.
Edit:
I looked at the example you posted and ran it myself and had very similar problems. However I have got it working. Here's the steps:
Creating the Application
Create the Registered Application. I do this through the Azure Portal so
a Service Principal is created automatically. Make a note of the ApplicationId.
Generate a key credential on the created application and make a note of it.
In the Application click on the link to the Managed app in local directory. This is the Service Principal, make a note of the ObjectId
Creating the Key Vault
Create KeyVault - I used PowerShell to do this. New-AzureRmKeyVault
Apply the Service Principal to the Key Vault.
Set-AzureRmKeyVaultAccessPolicy -VaultName <vault> -ResourceGroupName <ResourceGroupName> -ObjectId <Object Id of the Created Service Principal> -PermissionsToSecrets Get,List
Running the Sample App
In your application settings follow this format:
{
"Vault": <the name of your vault>,
"ClientId": <ApplicationId of the Registered Application>,
"ClientSecret": <Credential generated from the Registered Application>
}
This worked for me and allowed me to run the sample and retrieve the secrets from the vault.
The ultimate problem for me became that running 'Set-AzureRmKeyVaultAccessPolicy' was not needed and for whatever reason it was easier to just ignore it and follow this subsection: https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize
I kept trying to set up Object Id and Keys and really I had just overlooked a section mentioning a 'ServerPrincipalName'
They set one commandlet for keys
Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToKeys decrypt,sign
They set one commandlet for secrets
Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToSecrets Get, List
But I decided to follow the immediate proceeding section on doing it all in the Portal. The key take away for me was that the instructions were not wrong. Just vague when it says: "Register a sample app" then "Authorize the App". Really they should be saying
Register a sample app (https://learn.microsoft.com/en-us/azure/key-vault/key-vault-get-started#register)
Authorize the app with Key Vault (https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize)
Ultimately all the information is there it was just confusing if you happen to already have a vault and an application and don't understand the prerequisite is that really you need to have a 1. A Vault, 2. An ADD Web Application, 3. Associate permissions for 2 in 1.

Resources