I have a custom activity that runs through and ADF pipeline, with an Azure Batch for the execution. The custom activity needs to access the Azure Key Vault, but I don't want to leave any secrets/keys coded in the custom activity.
How can I get the custom activity to use the service principal to access the Azure Key Vault? I have no problem coding access to the Azure Key Vault using the service principal credentials (appId and key), but I obviously don't want to leave a key in the code.
So the question is: How can an ADF Custom Activity, running in an Azure Batch, access the Azure Key Vault through a service principal?
Thanks!
This is similar to how to access Key Vault from a Azure Batch task. There are some ways to avoid hard-code the secrets in code. One is to use certificate which can be deployed to the Batch VM (https://samcogan.com/secure-credential-access-with-azure-batch-and-keyvault/), or you may use resource file (https://learn.microsoft.com/en-us/azure/batch/batch-dotnet-get-started#resourcefiles) to provide the secrets.
Related
I have an issue how to auto renew Service Principals secrets in Key Vault Azure?
In short - you can't.
Azure KeyVault only provides the option to auto rotate keys. This feature enables end-to-end zero-touch key rotation for Azure services data encryption with customer-managed key (CMK) stored in Azure Key Vault.
https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/
What you are trying to achieve is different. Azure AD Service principals are managed by Azure AD. So, you need some sort of automation which generates a new secret there and updates it in keyvault.
A better way (if possible) would be managed identity. Managed Identities can be used like service principals but a fully managed and the secrets are managed behind the scenes for you.
https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/
I have several versions of the same web app running on the same subscription service.
I have 2 logical environments. Dev and UAT.
I have WebAppDev and WebAppUAT.
I have two key vaults KVDev and KVUAT.
How can I configure the correct web app to use the correct key vault?
What process assigns the web apps to key vaults?
Edit:
I had assumed that the key vault would act like the secrets do when developing.
This
Tutorial
seems to suggest that the key vault can be used as a configuration provider. However, the web app is not accessing the key vault values.
Get the Object ID from the identity blade of the web app.
Find your azure key vault and create a new access policy using the Object Id of web app.
Alternatively use the following in the powershell cli.
Set-AzKeyVaultAccessPolicy –VaultName -ObjectId "" -PermissionsToKeys backup,create,delete,get,import,list,restore -PermissionsToSecrets get,list,backup,restore,recover
Follow this tutorial and copy the context from the Program.cs in the sample code.
Tutorial
Taking a different angle, the current questions and comments tackle the authentication to KeyVault.
However, it sounds like a more fundamental problem and that you need to vary your configuration per environment.
i.e. WebAppDev needs to be configured to use a KVDev URL and WebAppUAT needs to use KVUAT URL.
Assuming you are using App Service Plans; this documentation provides a mechanism to store environment specific configuration along with guidance on how to use it for your programming language of choice, you will need to refer to the Application Specific configuration section.
https://learn.microsoft.com/en-us/azure/app-service/configure-common
Configuring in the portal will get you so far, but over time you will likely wish to contain the configuration in a release management pipeline so you don't need to configure things by hand. Azure DevOps Pipeline is one such tool for this:
https://learn.microsoft.com/en-us/azure/devops/pipelines/get-started/?toc=%2Fazure%2Fdevops%2Fpipelines%2Ftoc.json&bc=%2Fazure%2Fdevops%2Fboards%2Fpipelines%2Fbreadcrumb%2Ftoc.json&view=azure-devops
To get you started there is a specific deployment task which can aid in setting configuration for App Service Plans: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-rm-web-app-deployment?view=azure-devops
Over time I'd suggest rather than splitting configuration between a Release Pipeline and source control, instead having configuration which doesn't require deployment time modifications instead to stay source controlled in ARM templates, but that is an answer in it's own right so I won't confuse matters with too much detail.
If you want to access Azure key Vault by programming with SDK or REST API, then it would not be a problem. Because different key vaults have different DNS names. When you try to retrieve a secret or key in your code, you need to use its identify URL which contains its key vault DNS name. It will finally find the target key vault.
If you want to use key vault in web app with managed identity, you may refer to the tutorial: Use Azure Key Vault with an Azure web app in .NET
In that tutorial, you will enable the identity of a web app. And then you can assign access policy to that identity. In this way, the web app will be able to access the key vault with managed identity.
I am trying to grant permissions to my Web App/API type application in Azure directory to use Azure Key Vault.
When I Required Permissions> Add API Access > Select an API, then there I can't find Azure Key Vault. I remember it was there before but not now. Where I can find it?
Image:
https://ibb.co/dswdXq
Behavior shown in your image - Azure Key Vault missing from "Select an API" blade
I have seen the behavior your image shows for a new Azure subscription, only when there were no Key Vaults so far in the Azure subscription linked to that Azure Active Directory.
Once you create a new Key Vault (you don't even need to add any keys), "Azure Key Vault" shows up while adding permissions to your app registrations in Azure AD (same steps as your image). At least, that's how it worked in my case.
Special case worth mention
You can create multiple Azure AD's in your Azure subscription and register your applications in any of them. Azure Key Vault although works in a special way and is linked to only one Azure AD, this is the Azure AD that your Azure subscription trusts (Azure Subscription also trusts only one Azure AD). So you could also run into the behavior shown in your image if you're registering application in a different Azure AD than the one your Azure subscription trusts.
Granting permissions to your Web App/API to use Key Vault
In most cases it's not even required to do the steps you're showing in your image, just for a web application to be able to access key vault since that is controlled by Azure Key Vault access policies. #junnas has already explained this part very well so you can refer to that.
You can go to your Key Vault -> Access Policies -> Add, and create a new policy for the app.
Select the app as the principal, and give it the access you want.
You don't need to touch the Authorized application option.
You should then be able to acquire tokens for Key Vault using the client id and secret (or certificate).
Key Vault does not require that you assign it to an app, unless you wanted to do delegated access.
In fact any app can acquire a token for any API that exists as a service principal in your tenant (and Key Vault does).
Of course the token itself won't contain any permissions, but Key Vault has their own access management (access policies).
Our application doesn't use keyvault until now. We are thinking of using Azure KeyVault to enforce security for keys, secrets and certificates. I read microsoft documentation on this Link. It's not clear that Azure KeyVault works with identity providers other than Azure AD. Because we are not using Azure AD but we are using Azure app service and storage account. we also want to implement key rotation with 1 hour expiry.
My questions are
Should the web app be registered with Azure AD to use KeyVault ?
While creating an azure keyvault i didn't see any option about key rotation. Am i looking in the wrong place?
Any sample code would be helpful.
When you create a key vault in an Azure subscription, it is automatically associated with the subscription's Azure Active Directory tenant. All callers (users and applications) must be registered in this tenant to access this key vault. That means to access the keys and secrets stored inside the key vault, the requesting applications have to be added in Azure active directory and it also needs to have permissions to read keys and secrets in azure key vault.
Related tutorials below are for your reference :
Get started with Azure Key Vault
How to set up Key Vault with end to end key rotation and auditing -
This walks through how to set up key rotation and auditing with Azure
Key Vault.
Azure Key Vault Developer's Guide
Use Azure Key Vault from a Web Application
Is there a way to create an Azure Automation Credential asset which links to an Azure Key Vault secret? Similar question for a Certificate in Azure Automation.
I want to be able to store my passwords and such all in one place, the Key Vault, so that when I change it I don't have to change it in a bunch of places. I cannot find any documentation that indicates this is possible though. Am I missing it?
Thank you for any suggestions....
You can't link a Credential asset directly to Key Vault, however it should be possible to write a script that connects to Key Vault and updates the appropriate Automation Credentials from there.
This could either be fired on a schedule, a webhook, or by picking up Key Vault events from the new Event Grid (presuming they are currently wired up)