{"id":3372,"date":"2023-08-25T10:32:26","date_gmt":"2023-08-25T15:32:26","guid":{"rendered":"https:\/\/microsoftgeek.com\/?p=3372"},"modified":"2023-08-25T10:32:26","modified_gmt":"2023-08-25T15:32:26","slug":"using-managed-system-identities-to-access-azure-key-vault","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=3372","title":{"rendered":"Using Managed (System) Identities to access Azure Key Vault"},"content":{"rendered":"\n

A common challenge that integrators run into is managing secrets and subsequently, managing access to secrets. Azure Key Vault is a service that developers can use to store their secrets, keys and other sensitive data. However, there is still a challenge with accessing these secrets. If you are storing the credentials to access Key Vault in a non-secure manner, you have just pushed the problem to another area.<\/p>\n\n\n\n

The good news is that we can use a capability called Managed Identities to establish trust between some Azure services. For example, we can have a Logic App that can have a Managed Identity associated with it which can then be added to Azure Key Vault RBAC roles. This establishes trust between our Logic App and Azure Key Vault.<\/p>\n\n\n\n

Let\u2019s now explore how we can get this setup.<\/p>\n\n\n\n

    \n
  1. Click on Identity<\/strong> as part of your Logic App settings, subsequently turn the Status<\/strong> to On<\/strong>. After this is completed, you will see an Object ID populated which is essentially creating an identity for your Logic App within Azure AD. Copy this value, it will allow us to assign permissions to our Logic App in a subsequent step.<\/li>\n<\/ol>\n\n\n\n

    Click on Azure role assignments<\/strong> to continue.
    \"1-Identity\"<\/p>\n\n\n\n

      \n
    1. Click on Add role assignment<\/strong> followed by selecting the appropriate Subscription<\/strong>. From there select the appropriate Scope, Subscription, Resource<\/strong> (your keyvault instance) and the appropriate Role<\/strong>. In this case we will select Key Vault Secrets User<\/strong> which will allow us to extract secrets contents but not modify.<\/li>\n<\/ol>\n\n\n\n
      \"2-role(1)\"\/<\/figure>\n\n\n\n
        \n
      1. Repeat this step to include Key Vault Reader<\/strong><\/li>\n\n\n\n
      2. After we click Save<\/strong> we should see the result.<\/li>\n<\/ol>\n\n\n\n
        \"3-result(4)\"\/<\/figure>\n\n\n\n
          \n
        1. Next up, we need to assign an Access Policy on our Key Vault instance and assign access to the Managed Identity that we just created. Find your Key Vault in Azure Portal. Click on Access policies<\/strong> and then Add Access Policy<\/strong>.<\/li>\n<\/ol>\n\n\n\n
          \"3b-AccessPolicy\"\/<\/figure>\n\n\n\n
            \n
          1. We can use the Secret Management<\/strong> template to help accelerate completing this task. When it comes to Secret permissions<\/strong>, we will reduce all access to just Get<\/strong> and List<\/strong>. Lastly, we will find our Managed Service principal that we created in step 1. Click Add<\/strong> and Save<\/strong> to continue.<\/li>\n<\/ol>\n\n\n\n
            \"3c-AddPolicy\"\/<\/figure>\n\n\n\n
              \n
            1. We can now edit our Logic App and add an Azure Key Vault action to our canvas. Instead of signing in with our credentials, we will click on Connect with managed identity<\/strong>.<\/li>\n<\/ol>\n\n\n\n
              \"4-connect\"\/<\/figure>\n\n\n\n
                \n
              1. Specify a Connection name<\/strong> of your choosing and type in the name of your Vault<\/strong>. Click Create<\/strong> to continue.<\/li>\n<\/ol>\n\n\n\n
                \"5-VaultName\"\/<\/figure>\n\n\n\n
                  \n
                1. Select Name of the secret<\/strong> to match the secret that you want to extract.<\/li>\n<\/ol>\n\n\n\n
                  \"5b-secretname\"\/<\/figure>\n\n\n\n
                    \n
                  1. We can now add a Compose<\/strong> action where we can write out the Azure Key Vault secret value to ensure our process works.<\/li>\n<\/ol>\n\n\n\n

                    Note:<\/strong> Whenever using sensitive information in Logic Apps, ensure that you use the Secure Inputs\/Outputs<\/strong> feature to avoid secrets leaking into your run history.
                    \"6-testing(1)\"<\/p>\n\n\n\n

                      \n
                    1. Test your Logic App to ensure your secret is obtained successfully.<\/li>\n<\/ol>\n\n\n\n

                      Conclusion<\/h2>\n\n\n\n

                      In this post, we discussed how we can use Managed System identities when accessing Azure services like Key Vault. This allows organizations to securely connect to Azure resources without there being a tie to an individual\u2019s credentials\/account.<\/p>\n","protected":false},"excerpt":{"rendered":"

                      A common challenge that integrators run into is managing secrets and subsequently, managing access to secrets. Azure Key Vault is a service that developers can use to store their secrets, keys and other sensitive data. However, there is still a challenge with accessing these secrets. If you are storing the credentials to access Key Vault […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69,35],"tags":[],"class_list":["post-3372","post","type-post","status-publish","format-standard","hentry","category-azure","category-cloud-computing"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3372","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3372"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3372\/revisions"}],"predecessor-version":[{"id":3373,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3372\/revisions\/3373"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3372"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}