Secrets are meant to be kept safe. This is especially true if those secrets are of sensitive nature -- like passwords, storage account access, and API authorization keys. If your secrets are kept in the production version of your application configuration and versioned in source control, this is creating a couple of issues:
- Developers have access to production credentials. You typically want to only give access to credentials on an as-needed basis. For example, a team creating a credit card processing application does not normally need the credentials to the production payment gateway. Imagine if the whole team was able to get the production credentials because it was checked into source control. They could then write rogue programs that integrate with the gateway and issue refunds for example.
- Administrators are dependent on developers to access important information. Administrators who need to rebuild and deploy the application must rely on developers to rotate service account passwords or API keys. This creates an unnecessary dependency.
In this post, I’m going to provide some suggestions on how to store your secrets better using Azure Key Vault and Managed Service Identities.
Azure Key Vault
Organizations and development teams today are moving in a direction where they want to keep production service account passwords out of source control and away from the developers. At the same time, they need the flexibility to securely rotate keys without application downtime.
Azure Key Vault is a cloud service that safeguards encryption keys and secrets (such as certificates, connection strings, and passwords). Essentially, it serves as a wallet, providing separation between the application and the cryptography needed by that application. For example, an application may need to connect to a database. Instead of storing the connection string in the app’s code, you can store it securely in Key Vault. By not having to store security information in the application, you can significantly reduce the chances that secrets may be accidentally leaked.
In addition to centralizing and securely storing secrets, Azure Key Vault simplifies the administration and management of secrets. Through the Azure portal, administrators can easily change passwords without requiring a developer. They can also create separate Key Vaults and control access to them appropriately. For example, you may have a Key Vault designed to store the credentials for all dev and test services which the development teams can access. And then you could have a production Key Vault that only a few sys admins and the production applications themselves can access.
Managed Service Identities
Azure Key Vault provides a way to securely store secrets and credentials, but there still needs to be a credential exchange for the application to retrieve them. Invariably, this sets you back to square one, in which the master Key Vault access credential was stored in the application configuration and source control.
Managed Service Identities work in conjunction with Key Vault to solve this problem. With Managed Service Identities, you can now give your application infrastructure (i.e. virtual machines and web apps) an identity that is permitted to access the Key Vault. This ensures your application does not need to be given credentials to Key Vault.
What this could look like is your sys admin manages the resources, their identities, and permissions to access the Key Vaults, as well as other services such as databases and storage accounts. As long as the application is running on one of these services, which has a Managed Service Identity, access can be granted to resources at a very granular level without requiring the application to exchange credentials with the resource. Key rotation is very easy by simply going into the Azure portal and using the graphical interface to update a key's value. You now have an application where the secrets are out of source control and the developers don’t have access to them.
Azure Key Vault is an excellent solution for securely storing your secrets. In addition, Managed Service Identity helps to simplify the management of your resources, their identities, and permissions to access Key Vaults without a developer’s intervention. For teams looking to migrate their applications to Azure, I strongly encourage you to consider Key Vaults and Managed Service Identity as a solution to securely store and manage your sensitive information.
If you’d like to learn more about how to improve your DevOps capabilities and secrets management strategies, contact us to discuss your unique business requirements and challenges.