Making a project is easy, but securing it is not as simple as ABC. Almost everyone has checked-in database or service account password to version control system like Git. In today’s world, the Internet does not help you – it can even make your problem more complex. Just open GitHub and type „password” in the search box – you will find plenty of accidentally left checked-in credentials. We can minimize the risk of checking-in the password simply by using the Azure Key Vault. How to do this? Just read my article and I will tell you the secret.
What is Azure Key Vault?
Azure Key Vault is a cloud-based service offering you a secret, certificate management, cryptographic operations and even more. In this article, I am going to tell you mainly about secret management, which is a great feature for app credentials storage.
Adding new secrets
Adding new secrets in Azure Key Vault is a really simple task. To add it, select „Secrets” from the left navigation pane and click “Generate”. The service stores key-value pairs, so each entry must have a unique name. Optionally, we can set the secret expiration time and add custom metadata.
In the Azure portal, you can also list added secrets – if you have permission for it. This issue will be covered in the next section.
When you use Azure Key Vault you can delegate permissions to specific operations, like getting, listing, updating secret etc. It is incredibly important to reduce permissions which should not be used. For instance, if your app will only need to read secrets, it should not have permission to update the secret.
These policies can be delegated to the user, Azure Active Directory registered application or Managed Service Identity (MSI).
Integration with application
As an example, I will integrate the Azure-hosted ASP.NET website with Azure Key Vault. To authenticate with the service, we need to select one of two possible options:
- Get OAuth2.0 access token issued for ClientId/ClientSecret credentials. The biggest con of this scenario is the need for passing these credentials to the app. If they get compromised, all your credentials may be compromised.
- Get token using Azure Managed Service Identity (MSI). This approach is much more secure than the previous one because we get the token from endpoint accessible only for our app without the need of passing any credentials.
As you see, reading the configuration from Azure Key Vault is not much more difficult than getting it from the local configuration.
If you select the first approach, the only difference is passing as parameter function for getting token issues for ClientId/ClientSecret.
Integration with scripts
Using Azure Key Vault in PowerShell is even easier than in application.
Yes. That’s all – only one line of the code. One line, which makes your password secure. The only thing you need to do is logging in PowerShell session to Azure and installing AzureRM.KeyVault cmd-let.
Using Azure CLI looks quite similar:
Integration with Azure
If you use Azure Resource Manager (ARM) templates and you want to migrate from passing credentials as parameters, the change is extremely easy. You don’t even need to change the line of your app’s code!
The changes are only related to ARM template parameters file. You need to change the parameter value from text to the Azure Key Vault reference. Migration depends on changing the value from this:
After changing the ARM templates please ensure, that you have the newest version of secrets stored in Azure Key Vault and deploy the template. Azure will automatically load references to secrets and apply them during the deployment.
Before running the deployment make sure that Azure Resource Manager has permissions to access Key Vault for the template deployment. In order to check it go to Access Policies section and check the checkbox from the below screenshot:
Where do I use it?
We use Azure Key Vault in these areas and even more:
- ASP.NET and Azure Functions application with Managed Service Identity (MSI).
App connects to Azure Key Vault and loads credentials to external services, like a database, SharePoint, etc.
- PowerShell scripts
Deployment scripts are run during CI/CD processes and load database connection string, which are used for running database migration scripts.
- Azure Resource Manager (ARM) templates
Azure Resource Manager while deploying Azure Logic Apps loads:
* ClientId/ClientSecret, which are used for getting access tokens to authenticate HTTP requests to 3rd party services,
* Connection strings for queue systems (Azure Service Bus)
How much does it cost?
I encourage you to check the current pricing of the service. While I was writing this article (3.10.2018) it was about 0.03USD per 1000 requests. When you pay 1USD/month you can invoke the service about 46 requests per every minute during the month (assuming that month has 720 hours). It is a really small expenditure that may save lots of fear and anxiety.
To sum up:
Azure Key Vault is quite a small service, which has one incredibly crucial feature – keep your secrets, keys, and certificates safe. If you can accept latency of invoking external service compared to reading local configuration, then I strongly encourage you to try this service.