Secure and Manage Secret Application Configuration Settings for Azure Applications - Netwoven

Secure and Manage Secret Application Configuration Settings for Azure Applications

By Jubaraj Pandit  •  December 31, 2019  •  2129 Views

Secure and Manage Secret Application Configuration Settings for Azure Applications

Scenario: Need to secure application configuration credentials (like database connection/payment gateway credentials) for different environment like developer & production. Also need to manage database connection string for different type environment from outside the application for multiple application.

So, if we store the connection string in application settings, we need to change the connection string every time at the time of deployment for different environments.
But using Azure Key Vault we can handle the situation easily from a central location without touching the application.

Azure Key Vault is a cloud-hosted HSM (Hardware Security Modules)-backed service for managing cryptographic keys and other secrets.

Both Keys and secret are referred to as object and Key Vault. The object is uniquely identified within Azure Key Vault using a URL such that two objects don’t have the same URL.

Structure/Formatting of Key Vault URL

The URL includes object-type, object-name and version in that format.

https://{keyvault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}

Key Vault names are selected by user and are globally unique.

Object type indicates whether it is keys or secrets.

Object name is user-specified and provided at the time of object creation. It must be unique within the Key Vault.

The object version is optional. When it is specified it identifies the specific version of the object. when not specified it will identify the latest version of the object. It is a system generated 32-character string.

Keys

The initial release of Azure Key Vault supports only RSA Keys (asymmetric cryptography)

Secrets

From a developer’s perspective, Key Vault APIs accept and return secret values as strings. Internally, Key Vault stores and manages secrets as sequences of octets (8-bit bytes), with a maximum size of 25k bytes each.

Create Azure Key Vault

Click on Add button to Create New Key Vault
Secure and Manage secret application configuration settings for Azure applications
Secure and Manage secret application configuration settings for Azure applications
Secure and Manage secret application configuration settings for Azure applications

Create Secrets in Azure Key Vault

Click on Secrets link to create secret within your Created Key Vault
Secure and Manage secret application configuration settings for Azure applications
Click on Generate/Import
Secure and Manage secret application configuration settings for Azure applications
After putting the Secret Name & its Value [Example: my azure database connection string], click on Create link.
Secure and Manage secret application configuration settings for Azure applications
After successfully created, click on secret name to get the secret url.
Secure and Manage secret application configuration settings for Azure applications
Now copy the secret Url from the Secret Identifier field.
Secure and Manage secret application configuration settings for Azure applications
For an application like Azure Function to retrieve the secrets from vault it needs to authenticate with the vault using a token from Azure Active Directory Application.
Create an Azure Active Directive Application & get ApplicationID & Application SecretID.

Map Azure Active Directory Application with Azure Key Vault

Now go to Azure Key Vault that we have created before. Then go to Access Policy.
Secure and Manage secret application configuration settings for Azure applications
Secure and Manage secret application configuration settings for Azure applications
Click on Add Access Policy
Secure and Manage secret application configuration settings for Azure applications
Then click on Add Button
Secure and Manage secret application configuration settings for Azure applications
Once the access policy has been created, we can use the key vault from the client application.

Retrieve Secrets from Azure Key Vault to Client Application Like Azure Function

Now we will create a http trigger function from Visual Studio.
Install NuGet Package for Microsoft.Azure.KeyVault from NuGet Package Manager.
Secure and Manage secret application configuration settings for Azure applications
Install NuGet package for Microsoft.IdentityModel.Clients.ActiveDIrectory from NuGet Package Manager
Secure and Manage secret application configuration settings for Azure applications
Now modify the Code as below
Secure and Manage secret application configuration settings for Azure applications
In this application, applicationId & applicationSecret are my Azure Active Directory Application’s ApplicationID & SecretKey values.
SecretIdentifier is my created Key Vault’s SecretIdetifier Url.
{secret.Value} will return my database connection string on output from Azure Function.

Leave a comment

Your email address will not be published. Required fields are marked *

Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Fast Track
Microsoft Partner
MISA
MISA
Unravel The Complex
Stay Connected

Subscribe and receive the latest insights

Netwoven Inc. - Microsoft Solutions Partner

Get involved by tagging Netwoven experiences using our official hashtag #UnravelTheComplex