Azure Key Vault is a good way to share secrets with your partners in a way that allows you to have control over the access to each of the assets in Azure. We also need to know who is accessing the resources and from where so that we can monitor for suspicious activity. This post will talk through setting up the key vault and then configuring logging to keep track of the audit information for your certificates, keys and secrets. For each application that you want to access your resources you will need to create some credentials that the application can use.
To allow an application to access key vault an App Registration needs to be added to Azure Active Directory (AAD). This effectively sets up a username and password that the application can use for credentials.
Open the azure portal (http://portal.azure.com) and navigate to Active Directory.
Click "App registrations"
Then "New application registration"
Name needs to be unique within your AD, select Web API/API and enter sign-on url. If you not building a website then enter anything in here. It might be useful to use a url related to your existing domain with application name appended. It doesn’t need to be a valid url. The click “Create”
Once created copy the Application ID as this is equivalent to a username to be used when calling the Key Vault in code. You now need to create the password.
Click Settings then Keys
Enter a name in the description field and select a duration, then click Save. The new key value will be displayed. You will need to copy this as it will not be visible again once you leave this page. This will be used as the password.
Now create the Key Vault. To do that it is a good idea to put it in a specific resource group, especially if you are creating a set of resources that the key vault is going to access or if you are going to setup third party access. Once the Resource Group has been created, select it and add a Key Vault. When the Create Key Vault panel appears, click Access Policies, click "Add new"
Pick the application you just created in AAD and select Get in Secret permissions, Save then go back to the main Key Vault pane and click Create
You have just given the application we created earlier access to just retrieving secrets. As you can see from the access policy you can give the application permissions to access a combination of Keys, Secrets and Certificates with the minimum access of Get. The Key Vault security is at the vault level and you cannot protect individual secrets at the user level. By granting only Get access on the Secret the application will not be able to list the Secrets available and will only be able to retrieve secrets it knows the names of.
Now the Key vault is set up and can be accessed, we want to know who is accessing the vault and from where. Out of the box this is not enabled and requires additional configuration and resources to allow us to be able to retrieve this audit information. This is achieved by enabling diagnostic logs in the Key Vault.
Before you can enable this you need to create a new storage account in this resource group to store the logs, then add Application Insights to the resource group
Once these have been provisioned, navigate to the Key Vault you just created & click Diagnostic logs
Click "Turn on diagnostics"
Select “Archive to Storage Account” and Pick the storage account you’ve just created
Select “Send to Log Analytics” and Create a new OMS workspace in your resource group
Once created select this for Log Analytics
select the AuditEvent log and click Save.
Now any changes to the Key Vault plus any access from your application will be logged and visible via log analytics. There’s a 10 – 15 minute delay between accessing the Key Vault and the log appearing.
To Add a Secret to the vault, Navigate to the vault, click Secrets then Add
Select Manual from the Upload options, enter a name and the secret
Remember the name you gave the Secret as you will need this in your code when accessing the key vault. This secret will now have a unique identifier that you will use. The one I’ve just created is:
You should see in the logs this secret being created and also when it gets accessed.
Accessing the KeyVault in C# can be seen here: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application
The application in the example uses settings as defined below:
ClientID is the Application ID we created in the application registration in AD
ClientSecret is the key you created (that you had to save as it wasn’t visible again) as part of creating the application registration in AD.
Each Key, Secret and Certificate has a unique url which is used as the SecretURI e.g. https://recneps-vault.vault.azure.net/secrets/recnepssvsb-key
You now have your key vault set up with audit logging and are able to access it. My next blog post will talk you through how to access the logs and also how to set up alerting