Azure Key Vault

The ADOC V3.6.0 introduces support for Azure Key Vault, enabling secure management of keys and secrets. This integration enhances data security measures by leveraging Azure Key Vault's capabilities for safeguarding cryptographic keys and secrets used by cloud applications and services.

What is Azure Key Vault?

Azure Key Vault is a cloud service provided by Microsoft designed to secure cryptographic keys and secrets. It helps in encrypting keys and small secrets such as passwords using keys stored in hardware security modules (HSMs). Azure Key Vault simplifies key management processes and ensures that sensitive information is securely stored, tightly controlled, and audited.

Setting Up Azure Key Vault with ADOC

Creating an Azure Key Vault Secret

To add a secret to the Azure Key Vault, follow these steps:

1. Navigate to your key vault in the Azure portal:

   1. On the Key Vault left-hand sidebar, select Objects then Secrets.
   2. Click on + Generate/Import.

2. Create a secret:

   1. On the Create a secret screen, choose the following values:
   • Upload options: Manual
   • Name: Enter a unique name for the secret. The name must be a 1-127 character string, starting with a letter and containing only 0-9, a-z, A-Z, and -.
   • Value: Enter a value for the secret. Key Vault APIs accept and return secret values as strings.

3. Leave other values at their defaults and select Create.

Creating a Service Principal

Create a Service Principal (SP) following the steps in the Service Principal Support for Azure Data Sources.

Once the SP is created, go to the IAM roles inside the key vault and assign the following roles to the service principal:

• Key Vault Secrets User
• Key Vault Contributor

Configuring ADOC to Use Azure Key Vault

Secret Manager Configuration JSON

Populate the secret manager configuration JSON accordingly and mount it on the Data Plane (DP) that requires Azure Key Vault support.

[

  {

    "name": "AzureKeyVault",

    "type": "Azure",

    "keyVaultUrl": "<Your Key Vault URL>",

    "tenantId": "<Your Tenant ID>",

    "clientId": "<Your Client ID>",

    "clientSecret": "<Your Client Secret>"

  }

]

Replace <Your Key Vault URL>, <Your Tenant ID>, <Your Client ID>, and <Your Client Secret> with your actual Azure Key Vault information.

Using Azure Key Vault Secrets in ADOC

Accessing Secrets

Once configured, ADOC can securely access secrets stored in Azure Key Vault. This allows for seamless integration and enhanced security for sensitive data.

1. Datasource Configuration:

   • In the ADOC UI, go to the datasource configuration section.
   • Select Azure Key Vault as the secret manager.
   • Enter the necessary details to fetch secrets from Azure Key Vault.

2. Fetching Secrets Programmatically:

   • Use the ADOC API to fetch secrets stored in Azure Key Vault. Ensure that the API calls are authenticated using the configured Service Principal.

Best Practices

• Regularly Rotate Keys and Secrets: To minimize the risk of exposure, regularly rotate keys and secrets stored in Azure Key Vault.
• Monitor and Audit Access: Utilize Azure Key Vault’s monitoring and logging features to track access to keys and secrets.
• Implement Least Privilege Access: Grant the minimal permissions necessary for ADOC to access the required keys and secrets.

Troubleshooting

• Access Denied Errors: Ensure that the Service Principal has the appropriate roles assigned in Azure Key Vault.
• Invalid Credentials: Double-check the credentials (Tenant ID, Client ID, Client Secret) used in the configuration JSON.
• Connectivity Issues: Verify that the Data Plane has network access to Azure Key Vault.