Most of our applications need access to other systems. This could be a database, an API, or some other external system. These resources are often secured by a user name and password, API key, or an encryption key. Often these credentials end up unencrypted in our configuration files, on the server, on the developer machine, and in source control – leaving them vulnerable to accidental leaks. In addition to these security concerns, updating the passwords is a cumbersome process as it is up to the development team to identify all applications where these credentials are used.
In our last post, we identified Azure Key Vault as a better way to protect and manage your sensitive data. To recap, here are some of the benefits of storing secrets and keys in the Azure Key Vault:
- Security: your secrets are encrypted and can only be accessed by authorized applications.
- Control: you can manage which applications have access to which secrets in your vault and the level of access.
- Updatability: your secrets only need to be updated in one place -- the Key Vault.
Up next, let’s take a closer look at how easy it is to get started with Azure Key Vault.
Creating an Azure Key Vault
Azure Key Vault is a cloud service that allows you to safeguard encryption keys and secrets (such as certificates, connection strings, and passwords). You can easily create and manage Azure Key Vaults through the Azure portal. Here’s how to get started:
1. Create your Azure Key Vault and add your keys
The first step is to create the key vault. This is the mechanism for you to store and manage sensitive information. A single Key Vault can serve one or more of your applications. Keep in mind, these applications must be registered in Azure Active Directory (AD) in order for this to work.
You can create a Key Vault the CLI or the user portal: Create a resource > Security + Identity > Key Vault
2. Add keys and secrets to you Key Vault
You can add cryptographic keys and secrets to your Key Vault within the Azure portal. For each secret or key that you add, you get a unique URI. You can then share this URI with developers, who are then able to configure the application with the URI rather than in the code itself.
Simply select All Resources > Keys or Secrets. Click add to create a new key or secret. Once created, you can set the activation and expiration dates and limit the permitted operations.
3. Managed Identity
If your application is deployed to Azure, you can use Managed identities to further secure the access to your key vault. This feature provides a way to authenticate to Key Vault to retrieve the credentials, secrets, and other keys that you’ve stored in them. This enables you to keep credentials outside of the developer’s workstation and source control, thus reducing the likelihood of accidentally leaking sensitive information.
Developers looking to leverage Managed identities should check out Microsoft’s helpful breakdown of how to use Managed identities for Azure resources.
The End Result
Applications can use the Azure Key Vault once it’s been registered to Azure Active Directory (AD). At the end of registration, the cloud application is issued a ClientID and authentication key. The application then submits the ClientID and authentication key to Azure AD, which in turn issues a token back to the Application. This token is used to authenticate Key Vault.
This process provides a significantly safer alternative to hardcoding connection strings directly into the app. Here is what your code will look like:
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync("https://.vault.azure.net/secrets/AppSecret").ConfigureAwait(false);
While there are many ways to secure your application, we believe Azure Key Vault is an excellent option. In addition to its usefulness in storing secrets and keys, it also seamlessly integrates with your application, requiring minimal changes to your development process.
If you’d like to learn more about how to improve your DevOps capabilities and secrets management strategies, contact us to discuss your unique business requirements and challenges.