Setting Up and Configuring an Azure Key Vault

No longer do developers need to store sensitive application data, keys and, configuration settings in code - Azure Key Vault can store them for our applications on the cloud. Christos Matskas shows how to provision a new Key Vault in Azure using the Azure PowerShell cmdlets, and how to authorise an application to access and use a Key Vault.

As we saw in a previous article, the Azure KeyVault is a new service on Azure that can be used to securely manage cryptographic keys and client secrets (encrypted values) on the cloud. The KeyVault API offers a strong case for eliminating the need to store sensitive application data and configuration settings in code. Instead, through the use of the service, developers can access and use encryption keys in a secure way by leveraging the appropriate authorisation levels. These levels provide the necessary isolation between different actors and environments. In other words, a company can have different encryption keys for use in development and production. This way, developers can still perform their day-to-day tasks without fear of compromising client data security and integrity. The KeyVault can also be used to store sensitive application configuration settings such as database connection strings in the form of secrets. This provides an additional layer of security to the application because no one can deploy sensitive data by accident to production.

In this post, we’ll examine how to set up a KeyVault in Azure and how to provision an application with the appropriate permissions in order to use this KeyVault. As of writing this post, there’s no option to manage, view or configure KeyVaults in the Azure web portal. The web portal section is scheduled for release at some point in 2016. In the meantime, there are two ways to setup a KeyVault either by using:

  • the Azure PowerShell with the Azure Resource Manager (ARM), if you’re comfortable with scripting, or
  • the Node.js CLI.

In this article, we’ll use the PowerShell option on Windows.

Installing the new Azure PowerShell Resource Manager

In order to interact with the Azure portal through PowerShell, we need to install the new Azure Resource Manager module. This is the first major version taking it to 1.0 and, unfortunately, it comes with breaking changes. If this is the first time you are using it, then there’s no need to worry. However, if you’re already using the Azure PowerShell to manage your Azure subscriptions and resources in production, you may want to install this on a test machine. If you still want to go ahead and install it, it’s imperative that you read the documentation before running the upgrade. Finally, Microsoft advises that this version should not be used for critical applications as it’s still in Beta.

To install the new Azure PowerShell modules, follow the instructions below:

  1. If you’ve already installed the Azure PowerShell module, you need to uninstall it from the Control Panel -> Add Remove Programs -> Microsoft Azure PowerShell
  2. Open a new PowerShell window with elevated permissions (Run as Administrator)
  3. Enable the execution of remote scripts: Set-ExecutionPolicy RemoteSigned
  4. Now we are ready to install the Azure Resource Manager Module. In the PowerShell window, type: Install-Module AzureRmIf you’re prompted to install NuGet (the .NET package manager) say “Yes”. You will need to rerun the above command once NuGet’s installed successfully. If you’re prompted to accept the download and installation say “Yes”
  5. Next, we need to install the new Azure PowerShell version. Type: Install AzureRM The current install process consists of twenty-six modules so it may take a while depending on your download speed. As a reference, mine was about 10 mins at 35Mbps

If all the steps are executed correctly, you should get the following output:

Create a KeyVault to store our data

At the moment, there no option to create or interact with a KeyVault through the Azure Portal. Consequently, the only way to manage a KeyVault is through PowerShell. The following commands will take you through the process of setting up a new KeyVault.

  1. Open a new elevated PowerShell windows (Run as Administrator)
  2. Login in to your Azure account: Login-AzureRmAccount
  3. If you manage more than one account (one in the office and a personal one), you can use the Get-AzureRmSubscription to get a full list of all your subscriptions.
  4. Choose the subscription you want to work with and make a note of the SubscriptionId
  5. Set the PowerShell context to use the desired subscription. Type the following command: Set-AzureRmContext -SubscriptionId YourSubscriptionId
  6. You need a Resource Group for your new Key Vault. You can either create a new one or reuse one of the existing groups in your subscription. To get more information on the existing ones, type: Get-AzureRmResourceGroup and make a note of the Resource Group name you wish to use.
  7. To create a new resource group, type the following command: New-AzureRmResourceGroup -Name ‘NameOfYourResourceGroup’ – Location ‘North Europe’
  8. NOTE: Not all locations have support for the KeyVault service, so to check if your region is supported, run the following command: ((Get-AzureRmResourceProvider -ProviderNamespace Microsoft.KeyVault).ResourceTypes | Where-Object ResourceTypeName -eq vaults).Locations
  9. With the Resource Group in place, we can now create the KeyVault by executing the following command: New-AzureRmKeyVault -VaultName ‘ NameOfYourKeyVault ‘ -ResourceGroupName ‘NameOfYourResourceGroup’ -Location ‘North Europe’The command takes three mandatory parameters:
  10. The vault name
  11. The resource group name
  12. The geographic location (i.e. region)

The picture below shows steps 6 & 7 being executed in succession:

At this point, we’ve successfully created a new KeyVault. The account you used to connect to Azure has full access to perform any operation on the new KeyVault. No one else has access to interact with your new KeyVault

Configure an application to work with the KeyVault

In this section we’ll create a sample application to take advantage of the features Azure KeyVault has to offer. This application can run anywhere: locally or the cloud. However, for an application to be able to use a key vault, it must authenticate using a token from Azure Active Directory (AD). We must register our application in the Azure AD to obtain an ApplicationID and the authentication key .

To register an application in Azure AD

  1. Sign in to the Azure Portal
  2. Find the Active Directory blade and select the directory in which you will to register your application.
  3. Click on the A PPLICATIONS section (at the top) and then the ADD button at the bottom toolbar. 2336-Add-AD-application-7662950f-a8e
  4. On the What do you want to do, choose Add an application my organization is developing
  5. On the next page, which is the ” Tell us about your application“, you will need to provide the name of your application and choose whether it’s a WEB APPLICATION AND/OR WebAPI (the default one) or a NATIVE CLIENT APPLICATION . Click ” Next” (arrow icon).
  6. On the App Properties page, you’ll need to provide a Sign-On URL and an App ID URI for your application. At this stage (or any stage) it doesn’t matter if you have a proper page setup. As long as you provide a unique URL for each textbox, then you should be fine.
  7. Click the ” Complete” icon to save your settings.
  8. Go to the Quick Start page and click on ” CONFIGURE at the top menu
  9. Make a copy of the CLIENT ID as it will be used next to set up the permissions to the KeyVault 2336-Configure-AD-App-33d57dee-335d-
  10. Scroll down to the KEYS section and generate a key. You can choose between 1 and 2 years.
  11. The secret will be generated once you click on the Save button at the bottom of the page.
  12. Make sure you make a copy of the CLIENT SECRET, as this the one and only time you’ll see it. If you lose it, you’ll need to delete the key and create it again. 2336-Configure-AD-App-2-dc8c0748-7

Authorize the application to access the KeyVault

The application intended to use the KeyVault needs to be provisioned to be able to access the key or secret in the vault. Go back to your PowerShell session and run the following command:

Set-AzureRmKeyVaultAccessPolicy -VaultName Your KeyVault Name ServicePrincipalName 2c42f3db-5994-44fe-acb2-8562938f10b9 -PermissionsToKeys all -PermissionsToSecrets all -ResourceGroupName ‘ YourResourceGroupName

The above command takes the following mandatory parameters:

  1. VaultName (the name of your KeyVault)
  2. ResourceGroupName (the name of the resource group where your KeyVault was created)
  3. ServicePrincipalName (the clientID from step 9 in the previous section)
  4. PermissionsToKeys (authorization access to manage keys in KeyVault)
  5. PermissionsToSecrets (authorization access to manage secrets in KeyVault)

You can find more information about the available permissions and the full syntax of the Set-AzureRmKeyVaultAccesPolicy here.

Summary

In this post, we looked into the required steps to provision a new KeyVault in Azure using the Azure PowerShell cmdlets. This KeyVault can be used to store encryption keys and secrets for our applications on the cloud. Then, we saw the steps required to authorise an application to access and use a KeyVault.. In the next section, we’ll examine how to access and interact with the KeyVault in a Node.js application.