Friday 16 March 2018

Azure Key Vault, Managing Secrets with AAD

Azure Key vault is a cryptographic key management service based on FIPS-validated Hardware security modules (HSMs). This service is a public Azure service that will, over time, be the trust root for important Microsoft first party services, for third party services seeking to offer higher assurances, and for your own custom line of business (LOB) Azure-hosted applications. It offers an Azure Key Vault service, a SQL Server Connector, and an Cloudlink SecureVM.

The interaction with Azure Key Vault can be done in many ways, from masterkey, powershell, .NET, RESTful api, Java etc.

In the following post I am going to do an end to end of how to create a "Secret" in Azure Key Vault, and retrieve it from the console.

Step 1 - Create a Vault for your keys and secret in Azure




Step 2 - Create the Secret (some kind of connection string or key from a provider), I called it HMAC


Step 3 - Probably the hardest, find all the bits and pieces to retrieve the secret. It happens that in orger to get the "Secret" from Azure Key Vault, you need authentication, this is provided by Azure Active Directory. So the next step will be to register our application (the one will be using Azure Key Vault). So lets go for it:
Azure Active Directory-> App Registrations -> New application registration

Step 4 - It is time to get the Application ID, also called ClientID (For security reasons some info has been removed, but as long you have your ClientID, all will be fine)

Step 5 -The next thing we need is the ClientSecret. Go to Settings->Keys. Put a name in the key and duration. A new key will be generated automatically. That is your ClientSecret !


Step 6 - We almost there with Azure. We have just need to tell Key Vault to give access to ur application from  Azure Active Directory so it can access to the keys.
Home->Your Key Vault->Access Policies



Step 7 - In our application in Azure Active Directory will have to allow Azure Key Vault to access to it. We will go to Azure Active Directory->App registrations-> [Our App Name] -> Settings -> Required Permissions-> Add -> Select API -> Azure Key Vault



Step 8- Delegate permissions to the service.


Step 9 - A JSON file needs to be created for "MasterKey" (the program in charge of retrieving the secret) See below. Save it as azuresecret.json in the folder C:\usr\local\.masterkey\ .

Replace your ClientID for mine
Replace your ClientSecret for mine


{
  "nodeAppName":{
    "clientId":"8586f230-AAAA-40d1-9eeb-574459b35077",
    "clientSecret": "JTqMWnQPOncAAOc11x52oIAlHYp71iCajba5lXSAAok=",
    "vaultUri": "https://my.vault.azure.net/"
  }
}


Step 10 - Install MasterKey:

Step 11 - Execute the file with your key vauly url, this should be the result:


Conclusion
This is a proof of concept will help you to not just understand how Azure Key Vault works behind the scenes, but also to check if the configuration is right.