What is it ?
Azure key vault is key management and secret management service from Azure for securely storing and accessing passwords, certificates, encryption keys, etc. The secrets and keys can be protected either by software or FIPS 140-2 Level 2 validated HSMs.
Why use it ?
Azure key vault provides a way to securely store and access the keys and secrets. It comes with below mentioned pros:
- Decoupling the configuration from application, application does not need to hold the secrets directly, thus making some operations like rotating keys are easier.
- Centralized application secrets, the distribution of secrets can be controlled, as all the secrets are safe at one place. It also makes administration simple.
- Securely storing the secrets, the key vault is able to store the secrets either in software or in HSMs. There are means in place to authenticate and authorize the access requests. The authentication is done via Azure AD, while the authorization can be performed using RBAC or key vault access policy
- Monitoring, you can enable the logs and can monitor the usage of the secrets
Before continuing to creating the service instance, let’s understand few terms:
- Tenant, an organization that owns and manages a specific instance of Microsoft cloud services
- Vault Owner, creates the key vault and has full access to it. Owner can set up auditing and can control key life cycle.
- Vault Consumer, can perform actions on the key vault, provided the actions are granted by owner.
- Resource, any manageable item that is available in Azure
- Resource Groups, a logical container that holds related resources for an Azure solution
- Azure AD, the identity and access management service from Azure
- Azure AD tenant ID, a unique id that identifies the Azure AD tenant
- Managed identities, the consumers need to authenticate themselves before accessing the secrets from key vault. Key vault solves hit problem by automatically creating a managed identity for the consumer in Azure AD.
- Service principal, An Azure service principal is a security identity that user-created apps, services, and automation tools use to access specific Azure resources. Think of it as a “user identity” (username and password or certificate) with a specific role, and tightly controlled permissions.
Now, lets get back to our main business, let’s create the key vault instance.
Create using Azure Portal
Creating key vault is a four step process,
- provide name, resource groups, location for the key vault
- Access policies to setup who can access the secrets
- Networking to enable / disable the endpoints
- Tags, just to add meta data tags on the resources
So, below is how the first step in the wizard looks like. Below are the details that need to be filled in
- Subscription, a valid Azure subscription under which the instance should be created
- Resource Group, a logical container for holding the resource
- Key vault name, a globally unique name for the key vault
- Region, an Azure region where the instance would be physically located
- Pricing tier, Standard or Premium pricing tiers
- Soft delete, option to recover deleted vaults or deleted keys or secrets from the key vault as long as the retrieval is within the retention limit
- Retention period, number of days to recover soft-deleted items
- Purge protection, irreversible setting, if this is enabled, then the soft deleted items cannot be purged until retention period has passed
There are three more screens for access policy, networking and tags. But let’s keep them to defaults. So just click on Review + Create button.
If any of the input validation fails, the review screen will show the validation errors. Otherwise it will show Create button, click on it.
The deployment will be done almost instantaneously.
Create using Azure CLI
I hope this article provides basic information about creating the key vault. Let me know your thoughts.