Most of people might have heard or have used Azure Key Vault in some ways mostly for Encrypting a Windows/Linux VM in Azure or some might have used for securing Connection Strings.
In this post we will cover how to Authenticate a Client Application with Azure Key Vault using Azure Active Directory Application(AD App registrations) and how to set various access policies for the applications. As most organizations have different teams to manage Key Lifecycle(i.e, Creation, Distribution, Rotation and Retirement), a best practice to follow can be to use each AD Application with minimum set of permissions it requires to operate on.
A Security Administrator would be given full permission so that they can modify the Vault Key/Secret as required and an Azure Developer will have limited permissions on Keys and Secrets. For such a scenario, it is best to have two or more AD applications created and have separate permissions provided.
Let’s have a look at sample architecture where we have minimal permissions provided for different teams to perform respective operations:
So as you see above we have created 2 AD Applications for different teams where Azure Developer Team does the secret decryption using certificate which has to be installed on the target server. And secondly we have Security Administrator Team who does the operation of Encrypting a Secret(i.e, ConnectionString/Passwords/API Keys) using Software or HSM based Keys.
The application first uses the AD application credentials to authenticate and obtains the Access Token, and once the Token is received, it is used for further interactions with the Key Vault. Using the available Key Identifier, we can get the key details. We can provide the appropriate permissions by Set-AzureKeyVaultAccessPolicy powershell cmdlet, against the key vault. In C#, we generally encrypt data with the System.Security.Cryptography.RSA algorithm package.
To implement the above Azure Key Vault scenario, we typically have 4 Steps:
- Create an Azure AD Applications
- Create Key Vault and associate the Service Principal
- Create a Key and Secret in Key Vault
- Use Key Vault from a Web Application
To know more on the above architecture, do email or comment here.