Managing Secrets and Certificates with Azure Key Vault

08/14/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in using Azure Key Vault to securely manage secrets (such as passwords, API keys, connection strings) and certificates (SSL/TLS). Azure Key Vault is a cloud service that provides a centralized and secure solution for storing and accessing these critical items, eliminating the need to embed them directly in code or configuration files, which is a poor security practice [1].

Introduction

In the development and operation of modern applications, managing secrets and certificates is a constant challenge. Database credentials, third-party service API keys, encryption keys, and SSL/TLS certificates are sensitive assets that, if compromised, could lead to serious data breaches. Storing them insecurely, such as in plain text files, environment variables, or directly in source code, poses a significant risk. Azure Key Vault was designed to solve these problems by providing a secure hardware-based repository (HSM) to protect these assets, tightly controlling access and simplifying lifecycle management [2].

This how-to guide will cover creating an Azure Key Vault, adding and retrieving secrets and certificates, configuring access policies, and integrating with other Azure services such as Azure App Service. Step-by-step instructions, example Azure CLI commands, and validation methods will be provided so that the reader can implement secure management of secrets and certificates, strengthening the security posture of their applications and cloud infrastructure.

Why is Azure Key Vault crucial?

• Secure Storage: Protects secrets and encryption keys using FIPS 140-2 Level 2 validated hardware security modules (HSMs).
• Centralized Access Control: Allows you to manage access permissions to secrets and certificates at a granular level using Azure role-based access control (RBAC) or Key Vault access policies.
• Lifecycle Management: Facilitates secret and certificate rotation, automatic expiration, and event notification.
• Risk Reduction: Eliminates the need to store credentials in code or configuration files, minimizing the risk of leakage.
• Monitoring and Auditing: Records all operations performed in Key Vault, providing audit trails for compliance and security investigations.
• Simplified Integration: Easily integrates with other Azure services, such as Azure App Service, Azure Functions, Azure Virtual Machines and Azure DevOps.

Prerequisites

To use Azure Key Vault, you will need the following items:

1. Active Azure Subscription: An Azure subscription to create and manage resources.
2. Administrative Access: An account with the Owner or Contributor role in the Azure subscription, or a custom role with permissions to create and manage Key Vaults.
3. Azure CLI or Azure PowerShell: Installed and configured command-line tools to interact with Azure.
4. Optional: Visual Studio Code: For development and integration testing.

Step by Step: Managing Secrets and Certificates with Azure Key Vault

Let's create a Key Vault, add a secret and certificate, and configure access.

1. Creating an Azure Key Vault

Let's create a Key Vault using the Azure CLI. You can also use the Azure portal.

1. Open your terminal or PowerShell and log in to Azure: bash az login

2. Create a resource group (if you don't already have one): bash az group create --name RG-KeyVault-Artigos --location eastus

3. Create the Azure Key Vault. Choose a globally unique name for your Key Vault. bash az keyvault create --name kv-artigos-seguranca-01 --resource-group RG-KeyVault-Artigos --location eastus --enabled-for-template-deployment true

   • --enabled-for-template-deployment true: Allows Key Vault to be used for template deployments, useful for automation.

2. Adding a Secret to Key Vault

Let's add a database password as a secretthe.

1. Add a secret called DatabasePassword with an example value: bash az keyvault secret set --vault-name kv-artigos-seguranca-01 --name DatabasePassword --value "S3cur3P@ssw0rd!"

2. Retrieve the secret to verify that it was stored correctly: bash az keyvault secret show --vault-name kv-artigos-seguranca-01 --name DatabasePassword --query value -o tsv

3. Adding a Certificate to Key Vault

Let's add a self-signed certificate for demonstration purposes. In production, you would use certificates from a trusted CA.

1. Create a self-signed certificate in Key Vault: bash az keyvault certificate create --vault-name kv-artigos-seguranca-01 --name MyWebAppCert --policy "$(az keyvault certificate get-default-policy)"

2. Check certificate details: bash az keyvault certificate show --vault-name kv-artigos-seguranca-01 --name MyWebAppCert

4. Configuring Access Policies

To allow applications or users to access secrets and certificates, you need to configure access policies. Let's use Azure role-based access control (RBAC).

1. Obtain the Object ID of the application or user who will need access. For an application (Service Principal), you can get it after registering it with Azure AD. For a user, use az ad user show --id <user-principal-name> --query id -o tsv.
2. Assign a role to your Key Vault. For example, to allow an application to read secrets: bash # Example: Assign the role 'Key Vault Secrets User' to a Service Principal az role assignment create --role "Key Vault Secrets User" --assignee-object-id <Object Application/User ID> --scope /subscriptions/<Your Subscription ID>/resourceGroups/RG-KeyVault-Artigos/providers/Microsoft.KeyVault/vaults/kv-artigos-seguranca-01
   • Tip: For certificates, you can use the Key Vault Certificate User function.

5. Integrating with an Azure App Service (Example)

Let's demonstrate how an application can consume a secret from Key Vault.

1. Create an Azure App Service (if you don't already have one): bash az appservice plan create --name AppServicePlan-Artigos --resource-group RG-KeyVault-Artigos --sku B1 --is-linux az webapp create --resource-group RG-KeyVault-Artigos --plan AppServicePlan-Artigos --name webapp-artigos-seguranca-01

2. Enable managed identity for the App Service. This allows App Service to authenticate to Azure Key Vault without explicit credentials. bash az webapp identity assign --resource-group RG-KeyVault-Artigos --name webapp-artigos-seguranca-01

3. Grant the App Service managed identity permission to access the secret in Key Vault. Use the principalId obtained in the previous step. bash az keyvault set-policy --name kv-artigos-seguranca-01 --object-id <principalManaged IdentityId> --secret-permissions get list

   • Tip: To use RBAC, assign the Key Vault Secrets User role to the principalId of the managed identity.

4. Configure a secret reference in the App Service. This allows the application to access the secret as an environment variable. bash az webapp config appsettings set --resource-group RG-KeyVault-Artigos --name webapp-artigos-seguranca-01 --settings DatabasePassword="@Microsoft.KeyVault(SecretUri=https://kv-artigos-seguranca-01.vault.azure.net/secrets/DatabasePassword/)"

5. Now, your application (e.g. ASP.NET Core, Node.js) can read the DatabasePassword secret as a normal environment variable, and Azure App Service will take care of retrieving it from Key Vault in a secure way.

Validation and Testing

Validating secret and certificate management involves verifying that access is granted only to authorized entities and that secrets can be correctly retrieved.

1. Testing Access to Secrets via Azure CLI

1. Try to access the secret with an account that does not have permissions: bash az login # Log in with an account without permissions az keyvault secret show --vault-name kv-artigos-seguranca-01 --name DatabasePassword --query value -o tsv

   • Expected Result: The command should fail with an AuthorizationFailed error.

2. Try to access the secret with an account that has permissions (e.g. the account that created Key Vault or the App Service managed identity if you are testing from within the application). bash az login # Log in with an account with permissions az keyvault secret show --vault-name kv-artigos-seguranca-01 --name DatabasePassword --query value -o tsv

   • Expected Result: The command must return the secret value.

2. Testing Certificate Access

1. Verify that the certificate can be listed and retrieved by an authorized entity. bash az keyvault certificate list --vault-name kv-artigos-seguranca-01 az keyvault certificate show --vault-name kv-artigos-seguranca-01 --name MyWebAppCert
   • Expected Result: Commands should return certificate details.

3. Checking Key Vault Audit Logs

All operations in Key Vault are logged and can be audited.

1. In the Azure portal, navigate to your Key Vault (kv-articles-seguranca-01).
2. In the left navigation pane, select Activity Logs.
3. You will see a log of all operations performed, including the creation of secrets, certificates and access attempts.

Security Tips and Best Practices

• Principle of Least Privilege: Grant only necessary permissions (get, list, set, delete) to secrets and certificates. Avoid granting excessive permissions.
• Regular Rotation of Secrets: Implement a process to rotate secrets and certificates regularly to reduce the risk of compromise.
• Managed Identities: Use Managed Identities for Azure resources (Managed Identities) whenever possible to authenticate to Key Vault, eliminating the need to manage credentials in your code.
• Granular Access Policies: Use Key Vault or Azure RBAC access policies to control who can access what. Prefer RBAC for finer control.
• Monitoring and Alerts: Configure alerts for suspicious activity in Key Vault, such as failed access attempts or secret deletions.
• Soft Delete and Purge Protection: Enable soft delete and purge protection in Key Vault to prevent accidental or malicious loss of secrets and certificates.
• Regular Backup: Although Key Vault is highly available, consider backing up your secrets and certificates, especially for disaster recovery scenarios.
• Expiring Secrets: Set expiration dates for secrets and certificates to force rotation and avoid using old credentials.

Common Troubleshooting

• Authorization Error (403 Forbidden): Check the Key Vault access policies or RBAC role assignments for the entity trying to access. Make sure the correct Object ID or principalId is used.
• Secret/Certificate not found: Check the secret/certificate name and the Key Vault name. Make sure the secret/certificate exists and has not been deleted or expired.
• Issues with Managed Identities: Verify that managed identity has been enabled for the Azure resource and that the correct permissions have been granted in Key Vault.
• Latency in Secret Retrieval: In some cases, there may be a small latency in retrieving secrets. Make sure your application is handling this asynchronously.
• Connectivity Errors: Check the network settings of your application or virtual machine. Make sure there are no firewalls or network security groups blocking access to Key Vault.

Conclusion

Azure Key Vault is a critical service for any organization looking to protect its most sensitive digital assets in the cloud. By centralizing the management of secrets and certificates in a secure, highly available repository, it simplifies compliance, reduces the risk of data breaches, and improves your overall security posture. Effective implementation of Azure Key Vault, combined with security and automation best practices, allows developers and operators to focus on innovation, knowing their credentials and keys are protected. With this practical guide, security professionals will be able to use Azure Key Vault to manage secrets and certificates securely and efficiently, ensuring the integrity and confidentiality of their applications and data in Azure.

---

References:

[1]Microsoft Learn. What is Azure Key Vault?. Available at: https://learn.microsoft.com/pt-br/azure/key-vault/general/overview [2] Microsoft Learn. Best practices for managing secrets in Azure Key Vault. Available at: https://learn.microsoft.com/pt-br/azure/key-vault/secrets/secrets-best-practices [3] Microsoft Learn. About Azure Key Vault certificates. Available at: https://learn.microsoft.com/pt-br/azure/key-vault/certificates/about-certificates