Learn About Azure Key Vault

Introduction

Azure Key Vault is a service used to safeguard the keys of other services in Azure. It enhances the security of data by avoiding the direct access of keys from an application. 

Content

  1. Creating a key vault in the Azure portal
  2. Adding a Secret.
  3. Integrating a local application to Azure AD to access secret
  4. Accessing the secret in the local application
  5. Integrating a Web App Service to Azure AD to access secret

Creating a key vault in the Azure portal

Step 1

Sign in to Azure portal.

Step 2

Search for “vault” in the Azure marketplace.

 

Step 3

Click on create. The "Add Key Vault" wizard will open.

Step 4

Enter a name, subscription, resource group, and pricing tier

  • Premium pricing tier will come with hardware security module
  • In Access policy, by default, the admin user is added

Step 5

Finally, click OK. The deployment of the key vault will start.

Adding a Secret

Step 1

Under Settings section, click on Secrets and click on Generate/Import. It will forward you to Create a Secret Panel.

 

Step 2 

  • Choose Manual in upload option, if you need to upload certificate choose certificate.
  • Give a Name for Secret.
  • Enter the Secret in the value field.
  • We are able to set an activation and expiry date for the key. In my case, I haven't set any activation and expiry date.

     
Step 3

Click on Secret to check out the property, URI, and settings of the Secret.
 
 

Integrating a local application to Azure AD to access secret

Step 1

Go to Azure Active Directory, click on app registration, as shown in the below figure.

 
 
Step 2

Add new application registration, name the application, in my case I named it as  "MyLocalApp", as we are going to use the web app, make the application a web app, as shown in the below figure

 
Step 3

Once the application is added to Azure AD, go to access policy of key vault, add the access policy, search the application and add it as principal, then finally give the required permission, in my case I have left the permission with default one.

 
Adding an application 
 
 

Accessing the secret in the local application

I’m going to use my existing ASP.NET Core web application, to explain how to fetch the secret from the key vault

ValuesController.cs 
  1. [HttpGet]  
  2.    [AllowAnonymous]  
  3.    [Route("GetSecrete")]  
  4.    public async  Task<JsonResult> GetSecrete()  
  5.    {  
  6.        AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();  
  7.        var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));  
  8.        var secret = await keyVaultClient.GetSecretAsync("https://mykeyvaultsample.vault.azure.net/secrets/mySecrete").ConfigureAwait(false);  
  9.   
  10.        return Json(secret.Value);  
  11.   
  12.    }  

We need to add a couple of packages from NuGet package,

  1. Microsoft.Azure.Services.AppAuthentication
  2. Microsoft.Azure.keyVault

AzureServiceTokenProvider is used for authentication

KeyVaultClient is the client used to get the secret once the authentication is successful.

Testing the API in Postman

 

We got the secret successfully.

I will publish this application as a web app in Azure, please go through my previous article to know how to deploy the application in Azure app service.

Integrating a Web App Service to Azure AD to access secret

Step 1

Go to Managed Service Identity of a web app and turn on the register with the Azure active directory, as shown in the below figure 

 

Step 2

Repeat the step which we followed for integrating a local application to Azure AD to access the secret. GitHub-CI is my web app name. 

 
Testing the API in Postman
 
https://github-ci.azurewebsites.net/api/values/GetSecrete 
 
 
 
We got the secret successfully 

I hope, you have enjoyed this article. Your valuable feedback, questions or comments about this article are always welcome.