I am trying to authenticate a local hadoop cluster to Azure using a service principal and certificate authentication. I have created a service principal, and put had the key vault create the certificate. I know how to get that information once I am authenticated, but I am trying to figure out how I would re-authenticate automatically once the certificate expires.
Related
Azure Key Vault is a cloud service that enables the secure storage and access of secrets and keys. Your Verifiable Credentials service stores public and private keys in Azure Key Vault. These keys are used to sign and verify credentials.
https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant
How can we find our Public and Private key for verifiable credentials?
I can see Recovery, Signing, and Update key in my Key Vault used for VC.
• Recovery, signing, and encrypting are various key management and cryptographic operations that are needed to be selected while creating an access policy for the said user selected thus limiting the scope of operations that can be performed by the keys, secrets and certificates issued by that user.
Similarly, the private key and the public key of the verifiable credential cannot be accessible by the ‘USER’ as the user has delegated that authority to the application registered in Azure AD with the permissions ‘VerifiableCredential.Create.All’ and this application registered in Azure AD has been granted API permission for the API Verifiable Credential Request Service. Thus, the private key is generated and is with the service principal of the Azure resource which issues a ‘Verifiable credential’ through the registered Azure AD application to create a key, secret, or a certificate in the Azure keyvault.
• While the public key is with the key, secret or certificate generated in the Azure key vault thus, completing the nexus of secure communication through the concerned application hosted. Thus, in this way, just based on RBAC (Role Based Access Control) and the ensuing access policy actions created in the key vault, you can create secure communication through the web app without exposing the private and the public keys.
For more information, kindly refer to the documentation link below: -
https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/verifiable-credentials-configure-issuer
I have a web API hosted on Windows server via IIS. I'm using Azure Key Vault to hide secrets. In order to give the application access to the vault, I am using a certificate installed on the server, which is also registered with the application in Azure.
The certs thumbprint, the tenant ID, and the application ID are all exposed in the configuration file of the web API. The apps registration is granted access via policy in the key vault.
The issue is that the integration assistant in Azure is alerting me that I should not have a certificate set up inside the registration, but with no explanation as to why (the documentation is greyed out for alert).
Can this alert be safely ignored? Or is there a better way to grant my application vault access?
Edit - snip of integration assistant:
Can this alert be safely ignored?
In your particular scenario, I would say yes. You can safely ignore this message.
Essentially you need a user to access the key vault. Considering your application is running locally, you would use the Service Principal (created as part of the app registration) as a user to access the key vault.
Or is there a better way to grant my application vault access?
In your particular scenario (when your application is running locally), AFAIK no.
If your application were running in Azure, you could have used Managed Identity. It could be either System-assigned Managed Identity or User-assigned Managed Identity. With managed identity, you need not require a secret/certificate based authentication.
I am not sure if your API is protected by Azure AD (i.e. a user must be authenticated/authorized before using the API), but if it does then one alternative would be to grant users of your API access to Key Vault. Requests to Key Vault will then be sent in context of that user. This however will increase the management complexity considerably as you have to manage access control for all your API users.
I want to link a key vault generated certificate with a service principal automatically. The end goal is to have the key vault auto renew the certificate and link it to the app registration. Is this possible?
I've created a vault in Azure and gave it access to API management (registered app in AAD). I'm trying to not store any passwords in header while making API calls, but instead get them from the keyvault. Is there a way to do this? If yes how?
Been looking for days and haven't found something
Thanks
You need to use API Management Policy to get the job done (https://learn.microsoft.com/en-us/azure/api-management/api-management-policies).
The policy needs to be constructed to post HTTP request to Azure AD OAuth endpoint to receive access token (https://learn.microsoft.com/en-us/azure/api-management/api-management-transformation-policies#TransformationPolicies). Using access token you just need to call to Key Vault API and retrieve the secret (https://learn.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#SendRequest). That secret will be passed along in your header (set-header)
Sample to get access token: https://learn.microsoft.com/en-us/azure/api-management/policies/use-oauth2-for-authorization?toc=api-management/toc.json
Here is an end to end example of Azure API Management and Azure Key Vault, including how to setup authorization in Azure AD so APIM can read secrets, certificates, etc. from Key Vault.
https://github.com/kevinhillinger/azure-api-management-keyvault
The integration requires that a service principal is registered in the Azure AD tenant for the subscription that the Key Vault instance belongs to. Then we're going to authorize it to talk to key vault.
In the example provided, I am retrieving a certificate since this is the more "difficult" option.
Here is the flow for the integration of Azure Key Vault:
Get a minted token (bearer) from Azure AD (make sure the scope is properly set for Key Vault)
Get the response and set a variable with the token value
Send a request to Key Vault with Authorization header loaded up with the token
Get the certificate info
Fetch the entire PFX file in base64
Usually when you use key vault to encrypt and decrypt data you have to keep your AD registered app's (that has the authorization to access key vault) ClientID and ClientSecret in plain text somewhere. This seems like a security problem if someone steals the the ClientID and Secret anyone can claim they are the registered app.
Is there or can there be a more secure approach?
You can use a certificate to authenticate instead of a secret.
There are three things you need to do for this approach:
Create a certificate to use.
When creating the Active Directory application that you will use to access the Key Vault, you need to pass in the certificate you created in step 1. I don't think you can do this through the portal at the minute, so you'll need to use the New-AzureRMADApplication PowerShell command.
Use that certificate when authenticating to Key Vault. You'll need to use an overload of the AuthenticationContext.AcquireTokenAsync() method that receives a ClientAssertionCertificate to do that. You can create a ClientAssertionCertificate by simply passing the client id and the X509Certificate2.
From this blog post you can get some some code for the first two steps.
In addition to using certificate-based with KeyVault, Azure Managed Service Identity also introduces a new way to make an Azure service become a service principal without any client app registration and client secret. Currently it is only available in preview stage for some services: Azure VM, Azure App Service, Azure Function, Azure Event Hub & Azure Service Bus. More information can be found here https://learn.microsoft.com/en-us/azure/active-directory/msi-overview
[Update] When ever you need to retrieve something from KeyVault, with Azure MSI you don't need a client secret. Only use AzureServiceTokenProvider() method to retrieve access token
In real-world deployment with automation (for example via Ansible), you can use an external certificate to store sensitive variables in Ansibe Vault and generate a 256bit chain to secure such an info. During the automation deployment, the cert is decrypted to access to these variables and perform further deployment. This way adds more encryption layer to the whole Azure deployment.