Azure Key Vault Documentation Guide

Azure Key Vault is a secure way to store and manage sensitive information such as API keys, passwords, and certificates.

Azure Key Vault provides a secure way to store and manage sensitive information.

You can use Azure Key Vault to store and distribute secrets securely across your applications.

Azure Key Vault supports multiple types of secrets, including certificates, keys, and password.

Additional reading: Azure Secure Score

Azure Key Vault is a service provided by Azure to manage secrets. It's a secure way to store sensitive information like keys, passwords, and certificates.

Azure Key Vault is backed by FIPS 140-2 Level 2 certified HSMs, which keep your keys secure. This means you can trust your sensitive information is safe.

To use Azure Key Vault with Delft-FEWS components, you need to create a user-assigned managed identity for your Virtual Machine or Container. This identity needs to have permissions to access the Azure Key Vault where the secret is configured.

If this caught your attention, see: Azure Information Protection Viewer

Here are the required permissions for the managed identity:

It's also required to provide the name of the Key Vault and the Secret name to the Delft-FEWS Components using ENV variables.

To create and configure Azure Key Vault, you'll first need to provision a Key Vault in Azure and generate secp256k1 keys suitable for signing Ethereum transactions.

The first step is to create a Key Vault in Azure by providing Subscription, Resource Group, Key Vault Name, and Region. Note down the value for the Key Vault Name.

You can configure the right level of authorization for keys in the Key Vault by clicking Add Access Policy and selecting Key management. Be sure to leave only the necessary options checked, such as Get, List, and Set.

To complete the creation, click the Review & Create button. For further information on how to create a Key Vault, please refer to Azure Documentation.

Recommended read: Azure App Configuration Unique Keys

Here's a list of the mandatory parameters for creating a CloudHSM configuration for Azure Key Vault:

To create a CloudHSM service, you'll need to specify the type and access details to Azure Key Vault as a configuration under the environment. This can be referenced by one or more cloud HSM service instances created in the same membership.

Azure Key Vault is a service provided by Azure to manage secrets.

To use Azure Key Vault, you need to register an app with the Microsoft Identity Platform for authentication and authorization of requests. This involves providing a user-facing display name and supported account types.

You should register a new app specifically for the Key Vault, rather than reusing credentials from an existing app registration. Note down the client ID, tenant ID, and subscription ID for the registered app.

A Virtual Machine or Container that runs in Azure needs to have a user-assigned managed identity to access Azure Key Vault. This identity has to be given permissions to access the Key Vault where the secret is configured.

Both the name of the Key Vault and the Secret name must be provided to the Delft-FEWS Components using ENV variables.

Check this out: Aws S3 Bucket Access Key Id and Secret Access Key

Certificate Policy is a crucial aspect of Azure Key Vault, allowing you to manage and control how certificates are handled.

You can list the policy for a certificate using the Get Certificate Policy operation, which provides a detailed view of the policy.

To update the policy for a certificate, you'll need to use the Update Certificate Policy operation, which allows you to modify the existing policy.

Here are the key certificate policy operations at a glance:

Certificate contacts in Azure Key Vault are crucial for managing the security and compliance of your certificates. You can list, set, and delete certificate contacts for a specified key vault.

The operations available for certificate contacts are straightforward. You can get the certificate contacts, set the certificate contacts, or delete the certificate contacts.

Here's a breakdown of the available operations:

These operations can be performed on a specified key vault, allowing you to manage the certificate contacts as needed.

Certificate Issuer operations are a crucial part of managing your Azure Key Vault. You can list certificate issuers for a specified key vault.

To list the certificate issuers for a key vault, you can use the Get Certificate Issuers operation. This will return all the certificate issuers associated with the key vault.

You can also get a specific certificate issuer using the Get Certificate Issuer operation. This is useful when you need to view details about a particular issuer.

If you need to update or delete a certificate issuer, you can use the Update Certificate Issuer and Delete Certificate Issuer operations respectively.

Here is a summary of the available Certificate Issuer operations:

To use the Database Proxy with OpenID Connect, you'll need to set the ENV variable FEWS_AZURE_KEY_VAULT_NAME.

This is possible since 2024.01, allowing you to retrieve the client secret from Azure Key Vault.

You'll also need to set the ENV variable FEWS_AZURE_KEY_VAULT_NAME for this case.

If the secret used is named Oauth2ClientSecret in the key vault, you can use the ENV variable FEWS_AI_AUTHENTICATION_OAUTH2_CLIENT_SECRET_NAME to get the secret from Azure Key Vault.

Here's an interesting read: How to Access Azure Key Vault in C#

Private Link is a feature of Azure Key Vault that allows you to create private endpoints for your key vault. This enables secure communication between your key vault and your applications.

Private endpoints are created using the List By MHSM Resource operation, which gets the private link resources supported for the managed HSM pool. You can also list the private endpoint connections associated with the managed HSM Pool using the List By Resource operation.

You can update a private endpoint connection associated with the managed HSM Pool using the Put operation. This operation updates the specified private endpoint connection.

Here's a summary of the Private Link operations:

Deleting a private endpoint connection associated with the managed HSM Pool is also possible using the Delete operation. This operation deletes the specified private endpoint connection.

Additional reading: Azure Openai Private Link

Private link resources can also be supported for a key vault using the List By Vault operation. This operation gets the private link resources supported for the key vault.

You can get the specified private endpoint connection associated with the key vault using the Get operation. This operation gets the specified private endpoint connection associated with the key vault.

You might like: Access Azure Key Vault Using Service Principal C#

To manage secrets in Azure Key Vault, you can create a client secret that can be used by external clients to authenticate with the Microsoft identity platform for access to the Key Vault. This is done by registering the Key Vault app and creating a secret in the Certificates & Secrets menu.

You can also load and reference secrets from Azure Key Vault in your application.properties file using a hierarchical approach, similar to Google Cloud Secret Manager. The syntax supports loading secrets from multiple key vaults, with the default key vault configured with quarkus.azure.keyvault.secret.endpoint.

Additional reading: Azure Keyvault Secrets

To interact with Azure Key Vault Secret, you can inject the com.azure.security.keyvault.secrets.SecretClient object in your application, which allows you to view the key vault and the secret you created in the Azure portal.

Here is a list of operations you can perform on keys in Azure Key Vault:

You can also perform secret operations in Azure Key Vault, such as getting a specified secret, listing secrets in a specified key vault, and updating the attributes associated with a specified secret.

Secrets can be generated to access the app, and it's essential to note down the secret value as it cannot be retrieved later.

To load secrets from Azure Key Vault, you can use a hierarchical approach in your application.properties file, similar to Google Cloud Secret Manager. This syntax supports loading secrets from multiple key vaults.

You can inject the Azure Key Vault Secret Client into your application to interact with Azure Key Vault Secret. This allows you to see the key vault and the secret created in the Azure portal.

For another approach, see: Azure Application Gateway Waf

The Secret operations in Key Vault include Get Secret, Get Secrets, Get Secret Versions, Set Secret, Update Secret, Delete Secret, Get Deleted Secret, Get Deleted Secrets, Purge Deleted Secret, Recover Deleted Secret, Backup Secret, and Restore Secret.

Here are the Secret operations in Key Vault:

Azure Secrets can also be used in the global properties of a Forecasting Shell Server or the Web Services. For example, to configure a password that is required during an import, the property can be configured as follows.

Certificate management is a crucial aspect of secret management. You can create a new certificate using the Create Certificate operation.

There are various ways to manage certificates, including getting information about a certificate, listing certificates in a key vault, and updating certificate operations. The Get Certificate operation retrieves information about a certificate, while the Get Certificates operation lists certificates in a specified key vault.

Certificate policies can be managed using the Get Certificate Policy and Update Certificate Policy operations. This allows you to list and update the policy for a certificate.

Explore further: Azure Security Policy

Certificate contacts can be managed using the Get Certificate Contacts, Set Certificate Contacts, and Delete Certificate Contacts operations. This allows you to list, set, and delete the certificate contacts for a specified key vault.

Here is a summary of certificate operations:

Transaction Signing is a crucial step in ensuring the security of your Ethereum transactions. This process involves using a cloud-based key management system like Azure Key Vault to sign transactions.

To initiate the signing process, you can use any of the Kaleido CloudHSM service's interfaces, such as RPC, WSS, or the API Gateway. These interfaces can be accessed by querying the service's /status route.

A sample GET request to obtain the service status is as simple as sending a GET request to the /status route. This will provide you with the URLs needed to send transactions.

The Kaleido CloudHSM service uses the from address to determine whether the configured backend cloud HSM contains the keys for the address. If the request succeeds, Key Vault returns the signature.

You might like: Azure Vault Route

The Ethereum signature parameters - R, S, and V - are extracted from the returned signature. The S value is also checked for compatibility with Ethereum's malleability protection rule.

The extracted signature parameters are then included in the transaction before sending it to the Ethereum blockchain node in the Kaleido environment that the service is bound to.

A different take: Shared Access Signature in Azure