Secure Access to your secret keys with Azure Key Vault
This entry is part of Cloud For Dummies series where I talk about all that is cloud in simple terms. If you are interested in following my future articles or wanted to check my other articles , please dig in.
As an able cloud administrator or solution architect it is your duty to protect the API Keys , Database credentials that are crucial to your cloud resources . However it always creates friction as the development team wants access to just about everything. Sounds a bell ?
So you are caught up in the cross-fire between Information Security guidelines that dictate no one should no the credentials and Development team that needs these credentials / secrets to get the application running smooth.
Azure Key Vaults just has the right set of tools for you.
Before we proceed further, I assume that you have got at the least a free Azure subscription to work with and follow this tutorial.
For this example we are going to enable an Azure Functions App to securely access a secret key from Azure Key Vault.
If you are new to Azure functions, I strongly recommend you to take a look at my entry below before proceeding further.
Our tutorial is in 2 parts
- Setting up the Key Vault with all access requirements
- Demonstrating secure access to the secrets in key vault using an Azure Function
And in this entry we will learn how to setup the key vault and its secure access to the function app . In the next part we will learn how to test the keyvault access using the function app we granted access to.
Simply start typeing key in the search bar and select “Key vaults” in the Azure portal
Step 1 : Creating a Key vault
Step 2: Add Access policy
In the next screen , select Azure role-based access control and hit “Review and Create” on the bottom of the screen. I strongly advise you to use “Tags” to provide more information about the KeyVault resource if you are in a production environment.
Ensure to hit the create button after the validation is successful.
Once the resource is created you should get a message . Hit the Go to resource button
Step 3: Enabling Managed Identity for the Function App that needs access to the Key vault.
If you remember , we decided to allow an Azure function to have access to the keyvault . In order for any cloud resource to access another cloud resource using RBAC or ( Role Based Access Control ) , the resource that needs access should have an identity . So we are going to enable an identity for the function app .
Assuming that you created your function app , go to the function app.
Type “Identity” on the search bar to open the options . Set the status to “On” and hit the Save button.
Now let’s come back to the key-vault resource that we created in “Step 1”
Step 4: Assign Roles
Click on the Access Control (IAM) option on the blade and click “Add role assignment”
Observe that the “Read” role is selected . Now click the “Next” button on the bottom of the screen.
Now select “Managed identity” and click on “+ Select members”
Step 5 : Select the resource that will be using managed identities
When you click the “+Select Members” in the previous step , it will open up this panel in the side where you can select the resource .
For our case , we will select “Function App” . And as soon as we do that we get the name of the function that has the “Managed Identity” enabled from Step 3.
Now, select the function and hit “Select”.
Now you should see the function app added as a member for RBAC to the key-vault.
Step 6: Review and assign role
Now that everything in place , let’s hit the “Review and assign” button to assign the function app read rights to access the key-vault and retrieve secrets during execution.
Key Learnings to remember:
- Azure Key Vaults provide encrypted storage for your application secrets and facilitate easy and secure access.
- You can restrict and limit access to your secrets with role-based access control.
- Azure provides SDKs that can be used with your preferred programming language to easily establish authentication and retrieve decrypted values that you can use in your application further down.
I hope this helps you design secure solutions on the cloud. Don’t forget to check out this space for the part 2 of this entry for a demo on how the function app retrieves the key during execution.
You can follow me on medium to get notifications on new articles.
Thank you.
