Azure Key Vault
The Azure Key Vault manages keys, secrets, and certificates in the Azure portal. This document will cover:
Create a key vault and store the platform secret
The following steps describe how to create an Azure Key Vault and how to create and store a platform secret:
- Log in to your Microsoft Azure portal account.
- Browse to the Azure Key Vault service.
- Click Create to open Create a key vault in the Basics tab.
- You must complete all mandatory fields. Select an existing Resource Group. It's recommended to choose the same resource group that you'll be launching your agent in. To create a new resource group that contains your CDC resources, read Create resource groups.
- Give your new key vault a name in the Key vault name field.
- Select a Region.
- Use the Pricing tier drop-down menu to select Standard or Premium pricing.
- Switch to the Access Policy tab and review your permission model. Vault Access Policy is the default selection. If you want to select the Azure role-based access control instead, refer to the Assigning an access policy section.
- Click Review + create and then Create.
- Your deployment will be in progress, and after a brief moment your key vault will be created. Under Next steps, click Go to resource.
- The Overview tab will be displayed. Make a note of your Vault URI as you will need this for installing the CDC agent in Azure.
- On the same page your new key vault resource, click Secrets in the sidebar, and click Generate/Import at the top.
- Use the drop-down menus and text fields to enter the following secret details.
- Upload options: Manual.
- Name: agent-rsa.
- Secret value: Your secret key. See the note below on multi-line secrets.
- Azure Key Vault strips newlines from secrets being added via the graphical user interface (GUI), which will prevent your secrets from working. Read Store a multi-line secret in Azure Key Vault to work around this issue.
- The CLI command below maintains newlines.
az keyvault secret set --vault-name <vault-name> --name <secet-name> --file <key-file-name>
- Leave the other fields blank, and click Create.
Assign an access policy
Configure your access configuration by selecting from one of the following two permission models:
- Vault Access Policy: The default permission model that determines whether a security principle, such as a user, application or user group, can perform different operations on keys, secrets, and certificates.
- Azure role-based access control: An authorization system that provides fine-grained access management of Azure resources to grant access at a specific scope level by assigning appropriate Azure roles.
Follow these steps to choose one of the permission models:
- Switch to the Access policy tab in the Create a key vault process.
- If you choose the default Vault access policy, continue to the next step. If you choose Azure role-based access control, continue to step 8.
- Click Create.
- Use the Configure from a template drop-down menu to select an existing template.
- Add the following Secret permissions:
- Switch to the Principal tab, and select your chosen principal. Only one principle can be assigned per access policy.
- Switch to the Application (optional) tab and select an application. For more information, read Application.
- Click Review + Create, then Create.
The permissions in step 5 must be for a secret, not a key or certificate.
Access control IAM
Use the following steps to assign roles and grant access to your Azure key vault resource.
- Access your existing key vault resource in your Microsoft Azure portal account.
- Click on the intended key vault.
- Click Access control (IAM) in the sidebar.
- Click Add at the top, and a sub-menu will appear.
- Select Add role assignment.
- Select the Reader permissions.
- Click Next.
- In the Members tab, select the members you want to assign access to, add an optional description, and add your application.
- Click Next, then click Review + assign.