- Secrets
- Securely store secrets and passwords
- Storing in code is not secure.
- Keys
- Create and control encryption keys
- E.g. for an encrypted storage integrated with e.g. Azure Storage
- Each key can have activation & expiration date
- Creating a key
- Can generate & import or restore from a backup
- Certificates: Provision, manage and deploy public and private SSL/TLS certificates
- Controlled through:
- Management plane
- Manage Key Vault itself, e.g. create & delete vaults
- Uses Azure Resource Manager role-based access control (RBAC)
- Data plane
- Working with key stored in the vault
- Uses Key Vault access policy
- Management plane
- Using CLI:
- Create:
az keyvault create --name "Contoso-Vault2" --resource-group "ContosoResourceGroup" --location eastus - Add a secret:
az keyvault secret set --vault-name "Contoso-Vault2" --name "ExamplePassword" --value "hVFkk965BuUv" - Show a secret:
az keyvault secret show --name "ExamplePassword" --vault-name "Contoso-Vault2"
- Create:
-
On vault level
-
Each policy has:
- A principle: Can be a user or an application
- Key permissions
- Key Management Operations: Get, List, Update, Create, Import, Delete, Recover, Backup, Restore
- Cryptographic Operations: Decrypt, encrypt, unwrap key, wrap key, verify, sign
- Privileged Key Operations: Purge
- Secret permissions
- Secret Management Operations: Get, List, Update, Create, Import, Delete, Recover, Backup, Restore
- Privileged Secret Operations: Purge
- Certificate permissions
- Certificate Management Operations: Get, List, Update, Create, Import, Delete, Recover, Backup, Restore, Manage Contacts, Manage Certificate Authorities, Get Certificate Authorities, List Certificate Authorities, Set Certificate Authorities, Delete Certificate Authorities
- Privileged Certificate Operations: Purge
-
📝 Retrieve using PowerShell:
- Key:
$keyUrl = (Get-AzureKeyVaultKey -VaultName "testvault" -Name "keyname").Key.Kid - Secret:
$secretText = (Get-AzureKeyVaultSecret -VaultName "testvault" -Name "secretname").SecretValueText
- Key:
-
📝Reference it in an ARM template:
{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { "adminLogin": { "value": "exampleadmin" }, "adminPassword": { "reference": { "keyVault": { "id": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.KeyVault/vaults/<vault-name>" }, "secretName": "ExamplePassword" } }, "sqlServerName": { "value": "<your-server-name>" } } }
- Using RBAC
- Ensure entity to give access to user/application exists:
- For application
- Create service principal
az ad sp create-for-rbac -n "http://mySP"
- Create service principal
- For users, you can add following to RBAC list of the vault:
- Add individual users (not recommended)
- 💡 Add AD groups (recommended)
- For application
- Then give your principal access to the vault:
az keyvault set-policy -n <your-unique-keyvault-name> --spn <ApplicationID-of-your-service-principal> --secret-permissions get list set delete --key-permissions create decrypt delete encrypt get list unwrapKey wrapKey
- Ensure entity to give access to user/application exists:
- Using managed identity
- In application => add system-assigned identity
- E.g. for web-app:
az webapp identity assign --name myApp --resource-group myResourceGroup - Or Identity section on portal.
- E.g. for web-app:
- In key vault => Allow access:
az keyvault set-policy --name myKeyVault --object-id <PrincipalId> --secret-permissions get list
- In application => add system-assigned identity