Introduction
Azure Key Vault is a service used to safeguard the keys of other services in Azure. It enhances the security of data by avoiding the direct access of keys from an application.
Content
- Creating a key vault in the Azure portal
- Adding a Secret.
- Integrating a local application to Azure AD to access secret
- Accessing the secret in the local application
- Integrating a Web App Service to Azure AD to access secret
Creating a key vault in the Azure portal
Step 1
Sign in to Azure portal.
Step 2
Search for “vault” in the Azure marketplace.
Step 3
Click on create. The "Add Key Vault" wizard will open.
Step 4
Enter a name, subscription, resource group, and pricing tier
- Premium pricing tier will come with hardware security module
- In Access policy, by default, the admin user is added
Step 5
Finally, click OK. The deployment of the key vault will start.
Adding a Secret
Step 1
Under Settings section, click on Secrets and click on Generate/Import. It will forward you to Create a Secret Panel.
Step 2
- Choose Manual in upload option, if you need to upload certificate choose certificate.
- Give a Name for Secret.
- Enter the Secret in the value field.
- We are able to set an activation and expiry date for the key. In my case, I haven't set any activation and expiry date.
Step 3
Click on Secret to check out the property, URI, and settings of the Secret.
Integrating a local application to Azure AD to access secret
Step 1
Go to Azure Active Directory, click on app registration, as shown in the below figure.
Step 2
Add new application registration, name the application, in my case I named it as "MyLocalApp", as we are going to use the web app, make the application a web app, as shown in the below figure
Step 3
Once the application is added to Azure AD, go to access policy of key vault, add the access policy, search the application and add it as principal, then finally give the required permission, in my case I have left the permission with default one.
Adding an application
Accessing the secret in the local application
I’m going to use my existing ASP.NET Core web application, to explain how to fetch the secret from the key vault
ValuesController.cs
- [HttpGet]
- [AllowAnonymous]
- [Route("GetSecrete")]
- public async Task<JsonResult> GetSecrete()
- {
- AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
- var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
- var secret = await keyVaultClient.GetSecretAsync("https://mykeyvaultsample.vault.azure.net/secrets/mySecrete").ConfigureAwait(false);
-
- return Json(secret.Value);
-
- }
We need to add a couple of packages from NuGet package,
- Microsoft.Azure.Services.AppAuthentication
- Microsoft.Azure.keyVault
AzureServiceTokenProvider is used for authentication
KeyVaultClient is the client used to get the secret once the authentication is successful.
Testing the API in Postman
We got the secret successfully.
I will publish this application as a web app in Azure, please go through my previous article to know how to deploy the application in Azure app service.
Integrating a Web App Service to Azure AD to access secret
Step 1
Go to Managed Service Identity of a web app and turn on the register with the Azure active directory, as shown in the below figure
Step 2
Repeat the step which we followed for integrating a local application to Azure AD to access the secret. GitHub-CI is my web app name.
Testing the API in Postman
https://github-ci.azurewebsites.net/api/values/GetSecrete
We got the secret successfully
I hope, you have enjoyed this article. Your valuable feedback, questions or comments about this article are always welcome.
| | | | | | | | | |
Text-to-speech function is limited to 200 characters