Microsoft Azure is a set of cloud services to help an organization meet its business challenges using a cloud solution. It gives the freedom to build, manage, and deploy applications in a secure way on a massive, global network using the developer’s favorite tools and frameworks.
Azure provides various services in different categories (IaaS, PaaS, SaaS, DBaaS) to improve their customer's critical business solution.
Azure KeyVault
Azure KeyVault is one of the cloud services that is used to encrypt the keys and small secrets like a password that uses keys stored in the Hardware Security Module (HSM). Secure key management is essential to protect data in Azure cloud and KeyVault provides a secure store for keys, passwords, connection strings, and certificates.
We can retrieve a secret from KeyVault by invoking REST URI in our application.
Scenario to use KeyVault
- Application in which using database is required to store database credentials in secured storage.
- Connection strings are in KeyVault in the same way we store certificates
Creating a KeyVault in Azure
You can create a KeyVault and assign the secret value by using CLI, PowerShell Script or through the Azure Portal. You can even create a KeyVault use .NET, Node.js and ARM Template. It is a pro of Azure to allow multiple ways to create every resource in the Cloud.
Here, I am using the Portal to create a KeyVault in Azure. It will be easy to understand the steps.
Step 1
Log in to Azure portal with your subscription.
Step 2
In Create Resource -> Search for KeyVault.
Step 3
Click "Create" and fill in the below details.
Name – Name of your KeyVault
Subscription – Enter your subscription
Resource Group – Enter your resource group to create this KeyVault
Location – Choose the location where KeyVault wants to deploy
Pricing tier – Choose Standard (default)
If you want HSM encryption to protect your secret choose Premium.
Access policies – Choose your application Service Principal to access KeyVault
Virtual Network Access – All Network access (default)
If you want a particular network to only access your key vault, choose an existing Vnet or create a new one.
Once you've added all the details, create your KeyVault.
Step 4
Search the KeyVault Name and choose.
Now, we need to add the Secret inside this KeyVault. Here, you can add n number of secrets.
Step 5
Go to Settings -> Secret. Click "Generate/Import" to create a new secret.
Step 6
Provide the below details.
Name – the name of your secret
Value – the value of the secret
You can choose the activation date and expiration date for your KeyVault. So, the secret value will be enabled after the activation date and expired before the expiration date.
Choose "Enable by default" for enabling your secret.
Click "Create" for the creation of a secret.
The secret has generated successfully. You can view your secret under Settings->Secret.
Step 7
Choose your secret. You can view the Secret Identifier URL. To retrieve the secret value in your application, we can use this URI.
Retrieve KeyVault using C# code
We can use the .NET code to retrieve the secret value in the application by using the KeyVault URI. You have to add the below NuGet package in your application to access the secret.
- Azure.KeyVault;
- Azure.Services.AppAuthentication;
The below code will retrieve the secret value by URI.
- AzureServiceTokenProvider tokenProvider = new AzureServiceTokenProvider();
- KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(tokenProvider.KeyVaultTokenCallback));
- var credentail = keyVaultClient.GetSecretAsync(URI).Result;
- var secret = credentail.Value.ToString();
The above code in the application will first authenticate with KeyVault and call the Secret URI and return the values of the secret. But it takes a little bit time to get the value of secret.
I have implemented this example in creating a Function app in Azure.
Creating a Function App
You can create a function app in Azure portal or Visual Studio. Here, I have created Function App in Visual Studio and created a resource in Azure Portal. I have deployed my code in Azure.
Step 1
Create Resource -> Compute -> FunctionApp
Step 2
Enter the below details in Functions app and click "Create".
App name – Name of your Function app
Subscription – Your Subscription
Resource Group – Create new or choose existing
OS – Type of OS. Choose Windows or Linux
Hosting Plan – Consumption as You pay or App Service Plan
I create a new App Service Plan
Runtime Stack - .Net
Storage – Create new storage or choose existing
Application Insight - Disabled
Click "Create" and the function app is created.
Step 3
Now, deploy your function app code from Visual Studio in Azure Function App Resource. For example, I have created a simple code below.
Note
To calculate the time difference for retrieving KeyVault secret value, I added the DateTime before calling KeyVault and after completion of the call. So we can analyze how much time is taken to retrieve the KeyVault secret value.
I have implemented the code in KeyVault_Retreive class file and I called the method in function app.
Right-click on the solution and select "Publish".
Step 4
Choose Existing Azure App Service and click publish, because we already created the Azure Function app resource.
Step 5
Give your Azure credential. Choose your Subscription and Resource group where your function app resource is deployed.
Click Ok. It will publish your function App code in Azure Function App Resource.
Set up a Managed Identity in Function App
When cloud application is used to use AD credentials and authenticating each time to access cloud services, it was to manage and secure your AD credentials in the application. To authenticate application without AD credentials, Azure implements the "Managed Identity" feature for solving this problem. It doesn’t require any AD credentials in your code and directly accesses all the Azure resource.
Note
To use managed identity, you must deploy your application in Azure Resources. Client application from Visual Studio or any other framework can’t access the Azure resource using managed identity. In this case, you have to implement Azure AD credentials.
Go to KeyVault which you created earlier. Choose Access Policies and "Add New".
In Select Prinicipal, you can see your Azure Function App resource automatically.
Give the required Key permission and Secret permission to the KeyVault.
Click "Save".
In our case, our function app read the secret value. So I gave the secret to get permission. Now, my function app has access to KeyVault.
Now, if I run the function app, it will retrieve the Secret value from the KeyVault. To see the log:
We retrieve the secret value from the function app. It takes 271 milliseconds (refer to the below screenshot) by using code.
An effective way to get KeyVault
In the above example, using the C# code to access KeyVault and retrieve value takes 271 milliseconds. In real-time, enterprise applications have used many connection strings, credentials are used in KeyVault and every value fetched from KeyVault in the application using keyVaultClient API call reduces the performance.
To improve the performance of fetching KeyVault secret value in the application without code, we use the below keyword in the application setting. This syntax keyword retrieves secret value directly from the KeyVault.
@Microsoft.KeyVault(SecretUri=secret_uri_with_version)
So, I have updated my earlier code and deployed it again in FunctionApp resource. I have commented the KeyVaultClient API call code and added the line for fetching the environment variable value.
The same variable has declared in Function App Azure resource with @Microsoft.KeyVault keyword syntax.
Now, I have deployed my updated function App code from Visual Studio to Azure resource. Now, if you run the Function App resource, it will fetch the secret value in 6 milliseconds. It is a huge time difference compared to the earlier version of the code.