Azure Key Vault
  • Dark
    Light

Azure Key Vault

  • Dark
    Light

Overview

The Azure Key Vault manages keys, secrets, and certificates in the Azure portal. This document will cover:


Create a key vault and store the platform secret

The following steps describe how to create an Azure Key Vault and how to create and store a platform secret:

  1. Log in to your Microsoft Azure portal account.
  2. Browse to the Azure Key Vault service.
  3. Click Create to open Create a key vault in the Basics tab.
  4. You must complete all mandatory fields. Select an existing Resource Group. It's recommended to choose the same resource group that you'll be launching your agent in. To create a new resource group that contains your CDC resources, read Create resource groups.
  5. Give your new key vault a name in the Key vault name field.
  6. Select a Region.
  7. Use the Pricing tier drop-down menu to select Standard or Premium pricing.
  8. Switch to the Access Policy tab and review your permission model. Vault Access Policy is the default selection. If you want to select the Azure role-based access control instead, refer to the Assigning an access policy section.
  9. Click Review + create and then Create.
  10. Your deployment will be in progress, and after a brief moment your key vault will be created. Under Next steps, click Go to resource.
  11. The Overview tab will be displayed. Make a note of your Vault URI as you will need this for installing the CDC agent in Azure.
  12. On the same page your new key vault resource, click Secrets in the sidebar, and click Generate/Import at the top.
  13. Use the drop-down menus and text fields to enter the following secret details.
  • Upload options: Manual.
  • Name: agent-rsa.
  • Secret value: Your secret key. See the note below on multi-line secrets.
Note
  • Azure Key Vault strips newlines from secrets being added via the graphical user interface (GUI), which will prevent your secrets from working. Read Store a multi-line secret in Azure Key Vault to work around this issue.
  • The CLI command below maintains newlines.
az keyvault secret set --vault-name <vault-name> --name <secet-name> --file <key-file-name>
  1. Leave the other fields blank, and click Create.

Assign an access policy

Configure your access configuration by selecting from one of the following two permission models:

  • Vault Access Policy: The default permission model that determines whether a security principle, such as a user, application or user group, can perform different operations on keys, secrets, and certificates.
  • Azure role-based access control: An authorization system that provides fine-grained access management of Azure resources to grant access at a specific scope level by assigning appropriate Azure roles.

Follow these steps to choose one of the permission models:

  1. Switch to the Access policy tab in the Create a key vault process.
  2. If you choose the default Vault access policy, continue to the next step. If you choose Azure role-based access control, continue to step 8.
  3. Click Create.
  4. Use the Configure from a template drop-down menu to select an existing template.
  5. Add the following Secret permissions:
  • Get
  • List
  1. Switch to the Principal tab, and select your chosen principal. Only one principle can be assigned per access policy.
  2. Switch to the Application (optional) tab and select an application. For more information, read Application.
  3. Click Review + Create, then Create.
Note

The permissions in step 5 must be for a secret, not a key or certificate.


Access control IAM

Use the following steps to assign roles and grant access to your Azure key vault resource.

  1. Access your existing key vault resource in your Microsoft Azure portal account.
  2. Click on the intended key vault.
  3. Click Access control (IAM) in the sidebar.
  4. Click Add at the top, and a sub-menu will appear.
  5. Select Add role assignment.
  6. Select the Reader permissions.
  7. Click Next.
  8. In the Members tab, select the members you want to assign access to, add an optional description, and add your application.
  9. Click Next, then click Review + assign.


What's Next