Close

Four times Azure KeyVault

Azure Key Vault from App Services and Azure Functions (Link)

Apps hosted in App Service and Azure Functions can now simply define a reference to a secret managed in Key Vault as part of their application settings. The app’s system-assigned identity is used to securely fetch the secret and make it available to the app as an environment variable. This means that teams can just replace existing secrets stored in app settings with references to the same secret in Key Vault, and the app will continue to operate as normal.

Azure Key Vault from Logic App

This Logic App first calls Azure Key Vault. Azure Key Vault is secured by a Managed Identity created at the Logic App Level.

From Key Vault an API Management subscription key is retrieved and used to subsequently call an API Management service.

“HTTP_get_apim_subscription_key_from_vault”: {
“inputs”: {
“authentication”: {
“audience”: “https://vault.azure.net”,
“type”: “ManagedServiceIdentity”
},
“method”: “GET”,
“queries”: {
“api-version”: “2016-10-01”
},
“uri”: “https://ipaas-np-kv.vault.azure.net/secrets/ipaas-[env]-[system]ws-apim-subscriptionkey/”
},
“runAfter”: {
“Get_Soapheader_[system]ws”: [
“Succeeded”
]},
“type”: “Http”
},

“HTTP_call_[system]_RelatieLezen”:
“Ocp-Apim-Subscription-Key”: “@{body(‘HTTP_get_apim_subscription_key_from_vault’)?[‘value’]}”

Azure Key Vault from ARM template

This template contains a EventGrid subscription that uses a service principal (with clientid and clientsecret). The client secret of the service principal is retrieved from Azure Key Vault. In our DevOps release pipeline we use an orchestrator that first calls an ARM template to retrieve the client secret from Azure Key Vault.

{
“apiVersion”: “2017-05-10”,
“name”: “[system]-egtsub-conn”,
“metadata”: {
“description”: “Connectie om te abonneren op de Event Grid”
},
“type”: “Microsoft.Resources/deployments”,
“dependsOn”: [
],
“properties”: {
“mode”: “Incremental”,
“parameters”: {
“Naam”: {
“value”: “[variables(‘EGTSubConnNaam’)]”
},
“ServicePrincipalClientId”: {
“value”: “[parameters(‘ServicePrincipalClientId’)]”
},
“ServicePrincipalClientSecret”: {
“reference”: {
“keyVault”: {
“id”: “[concat(‘/subscriptions/’, subscription().subscriptionId, ‘/resourceGroups/’, parameters(‘iPaasKeyVaultResourceGroupNaam’) ,’/providers
/Microsoft.KeyVault/vaults/’, parameters(‘iPaasKeyVaultNaam’))]”
},
“secretName”: “[parameters(‘ServicePrincipalNaam’)]”
}
}
},
“templateLink”: {
“uri”: “[concat(parameters(‘CICDStorageAccount’),’connections/egtsub-conn.json’, parameters(‘CICDStorageAccountSASToken’))]”,
“contentVersion”: “1.0.0.0”
}
}
}

Next the orchestrator calls an ARM template to create a connection that subscribes to an EventGrid topic.

{
“$schema”: “https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#”,
“contentVersion”: “1.0.0.0”,
“parameters”: {
“Naam”: {
“type”: “string”
},
“ServicePrincipalClientId”: {
“type”: “string”,
“metadata”:{
“description”: “Clientid van de service principal.”
}
},
“ServicePrincipalClientSecret”: {
“type”: “string”,
“metadata”:{
“description”: “ClientSecret van de service principal”
}
}
},
“variables”: {
},
“resources”: [
{
“type”: “Microsoft.Web/connections”,
“apiVersion”: “2016-06-01”,
“location”: “westeurope”,
“name”: “[parameters(‘Naam’)]”,
“properties”: {
“api”: {
“id”: “[concat(‘/subscriptions/’,subscription().subscriptionId,’/providers/
Microsoft.Web/locations/westeurope/managedApis/azureeventgrid’)]”
},
“displayName”: “[parameters(‘Naam’)]”,
“parameterValues”: {
“token:clientId”: “[parameters(‘ServicePrincipalClientId’)]”,
“token:clientSecret”: “[parameters(‘ServicePrincipalClientSecret’)]”,
“token:TenantId”: “[subscription().tenantId]”,
“token:grantType”: “client_credentials”
}
}
}
]
}

Azure Key Vault from API Management (Link)

As we are going to retrieve the secret from Key Vault, we will assign a managed identity to API Management, which we then give permission to get the secrets. First, enable managed identity on your API Management.

Once enabled, the next step is to assign the required permissions to this new identity in Azure Key Vault. We do this in the Access policies blade, where we provide Get permissions for the secrets.

Next we can grab the endpoint of our secret from Azure Key Vault. Remember, you can use the endpoint without a version, which allows us to always get the latest version of the secret.

Finally we can create the API Management policies. The first policy calls the Azure Key Vault endpoint and stores a user password in a variable named passwordResponse:

<send-request ignore-error=”false” timeout=”20″ response-variable-name=”passwordResponse” mode=”new”>
<set-url>https://https://kv-we-retrieve-kv-secret.vault.azure.net/secrets/MySecretValue/?api-version=7.0</set-url>
<set-method>GET</set-method>
<authentication-managed-identity resource=”https://vault.azure.net” />
</send-request>

Next we add a basic authentication (username/password) header to a service call. The complete policy now looks like this:

<policies>
<inbound>
<base />
<send-request>see before</send-request>
<set-backend-service base-url=”https://[service]” />
<authentication-basic username=”myusername” password=”@{ var secret = ((IResponse)context.Variables[“passwordResponse”]).Body.As<JObject>(); return secret[“value”].ToString(); }” />
</inbound>