Secure Key Access with Azure Key Vault

Azure Security
6e40d42d2a4d.png

Introduction

 

 

Azure Key Vault is a cloud service that provides a secure store for secrets, keys, and certificates. It is designed to help you safeguard cryptographic keys and secrets used by cloud applications and services. This guide demonstrates how to use Azure Key Vault to securely store an Azure AI services key and access it from an application using a service principal. This method enhances security by avoiding the need to store keys directly in application code or configuration files.

 

 

 

Why Use Azure Key Vault?

 

 

When managing secrets, keys, and certificates, ensuring their security is paramount. Azure Key Vault offers numerous advantages for this purpose, making it an essential tool for modern cloud applications.

 

 

 

Key Benefits

 

  1. Centralized Secret Management: Azure Key Vault allows you to manage all your secrets, keys, and certificates in a single, secure location. This centralization simplifies management and improves security.
  2. Enhanced Security: Secrets and keys are stored in a hardware security module (HSM), which provides a higher level of security compared to storing them in environment variables or configuration files.
  3. Access Control: Azure Key Vault provides fine-grained access control, allowing you to specify which users and applications can access specific secrets and keys.
  4. Simplified Development: Developers can easily integrate Azure Key Vault with their applications, reducing the need to write custom code for secret management.
  5. Monitoring and Auditing: Azure Key Vault integrates with Azure's monitoring and auditing tools, allowing you to track and log access to your secrets and keys.

 

Key Scenarios

 

Azure Key Vault is versatile and supports a wide range of use cases. Here are some scenarios where it can be particularly beneficial:

 

  1. Securely Store API Keys and Passwords: Instead of hardcoding secrets in your application code, store them securely in Azure Key Vault and retrieve them at runtime.
  2. Manage SSL/TLS Certificates: Store and manage SSL/TLS certificates used for securing web applications and services.
  3. Encrypt Data: Use cryptographic keys stored in Azure Key Vault to encrypt and decrypt data, ensuring that sensitive information is protected.
  4. Automate Secret Rotation: Regularly rotate secrets and keys to enhance security without the need to manually update them in your applications.

 

Creating a Key Vault and Adding a Secret

 

To begin leveraging the benefits of Azure Key Vault, you'll first need to create a Key Vault and add your secrets. This section will guide you through the process.

 

 

Step 1: Create a Key Vault

 

  1. Navigate to the Azure Portal.

  2. Create a new resource:

    • On the Home page, select the +Create a resource button.
    • Search for Key Vault and create a new Key Vault resource with the following settings:
      • Subscription: Your Azure subscription
      • Resource group: The same resource group as your Azure AI service resource
      • Key vault name: Enter a unique name
      • Region: The same region as your Azure AI service resource
      • Pricing tier: Standard

 

  1. Access Configuration:

    • Set the Permission model to Vault access policy.
    • In the Access policies section, select your user account.
    • Click Review + create, then Create to deploy the Key Vault.

 

Once the deployment is finished, you'll have your KEY VAULT resource available, next we can start adding keys and secrets.

 

 

 

 

 

Step 2: Add a Secret

 

With your Key Vault created, the next step is to add the Azure AI services key as a secret.

 

  1. Navigate to your Key Vault resource.
  2. Add a new secret:
    • In the left navigation pane, select Secrets under the Objects section.
    • Click + Generate/Import and add a new secret with the following settings:
      • Upload options: Manual
      • Name: AI-Services-Key
      • Value: Your Azure AI services key (key1)
    • Click Create.

 

 

 

 

The Name will be the value needed to identify the provided resource key. 

 

 

 

Creating a Service Principal

 

Now that your key is securely stored in Azure Key Vault, you'll need a way for your application to access it. This is where creating a service principal comes into play.

 

All the commands must be used inside a Powershell after being log inside Azure

 

 

Step 1: Create a Service Principal

 

  1. Open your terminal and run the following Azure CLI command, replacing placeholders with appropriate values:

az ad sp create-for-rbac -n "api://<spName>" --role owner --scopes subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>

 

  • Replace <spName> with a unique name for your application identity.
  • Replace <subscriptionId> and <resourceGroup> with your subscription ID and resource group name.

 

 

  1. Save the Output:

    • The command output includes appId, password, and tenant. Save these values securely.

 

 

Step 2: Get the Object ID

 

 

To ensure the service principal has the necessary permissions, you need to retrieve its object ID.

 

  1. Run the following command to retrieve the object ID

 

         az ad sp show --id <appId>

 

  • Replace <appId> with your service principal's app ID.
  • Copy the id value from the JSON response.

 

Step 3: Assign Key Vault Permissions

 

With the object ID in hand, the final step is to assign the appropriate permissions.

  1. Run the following command to grant the service principal access to the Key Vault secrets:

az keyvault set-policy -n <keyVaultName> --object-id <objectId> --secret-permissions get list

 

    • Replace <keyVaultName> with the name of your Key Vault.
    • Replace <objectId> with the service principal's object ID.

 

Using the Service Principal in an Application

 

With the Key Vault and service principal set up, you're now ready to integrate this configuration into your application. This ensures your application can securely access the Azure AI services key.

 

When using Python app and assuming you want to connect Azure Language Service

 

 

You can install the following package:

 

pip install azure-ai-textanalytics==5.3.0
pip install azure-identity==1.5.0
pip install azure-keyvault-secrets==4.2.0

 

 

Finally we need to set up envs variables:

 

 

AI_SERVICE_ENDPOINT=<your-ai-service-endpoint>
KEY_VAULT_NAME=<your-key-vault-name>
TENANT_ID=<your-tenant-id>
CLIENT_ID=<your-app-id>
CLIENT_SECRET=<your-client-secret>

 

 

It's time to write the application code that will use these settings to access the Key Vault and retrieve the secret.

 

 

Conclusion

 

By securely storing sensitive keys in Azure Key Vault and accessing them using a service principal, you can significantly enhance the security of your applications. This approach ensures that keys are not exposed in application code or configuration files, thereby reducing the risk of unauthorized access.

 
back to list