Creating an Azure Key Vault & Key Vault Secrets
I need to apologize for being tardy, I promised a follow up article at the end of last year about programmatically connecting to Azure resources. If you know me, you know I’m definitely a type A person who is very thorough and detailed oriented. Although I finished most of the article back in November, it was a 14 minute read and far too long to hold anyone's attention (especially for the developers or executive types) because I went in to a nitty-gritty level of detail… mostly because I know the learning curve with this stuff is steep and extra frustrating when you have to piece poor documentation together. Anyways I digress…
After getting feedback, I took some time to break the behemoth post down in two three more consumable parts based on context. The three part series will include:
- This one — Creating an Azure Key Vault & Key Vault Secrets
- How to create a Service Principal or Managed Identity and Grant Appropriate Access
- Using Python to Programmatically Authenticate to Azure and Use Resources
Of course the original article can still be read in its’ entirety here, because I couldn’t just let it go… Alright, in proper fashion, I will start with what cloud resources are and why we are going to do this.
The what…
In short, cloud resources are tools or technology that are offered by someone other than your organization’s IT team. For example, they provide the means to host infrastructure, build data workflows, fancy dashboards, etc., etc. For the most part Amazon (AWS), Microsoft (Azure), or Google (GCP) dominate the market. I’m going to create an Azure Key Vault and some key vault secrets in this series to showcase how it works.
The why…
I chose to work with the Azure Key Vault because it’s a simple place to store valuable information like passwords, tokens, certificates, keys, connection strings, and configuration files. It’s also a centralized location to access sensitive values, manage access for these values, and audit user activity against those values. Ideally, each agile team and environment will have it’s own vault. If you aren’t in the cloud you are hopefully sharing passwords through a secret server or encrypted email.
Alrighty, time to get the show on the road.
To create an Azure Key Vault and Key Vault objects you will need:
- A Microsoft Azure account
- An active subscription
- A resource group
- A username or password that you want to store.
Step 1: Create an Azure key vault & key vault secrets
On the home page of the portal, select + Create a resource.
Type in Key Vault and hit Enter or choose it from the list of common resources below.
On the Create a key vault blade, choose the appropriate subscription and resource group for your key vault and give it a name. I am going to choose ‘im-eda-dev-platforms-kv’ for mine. Follow a proper naming convention if you are using CICD, that way you can easily reference these objects in your pipelines. After, make sure to choose the region closest to you or your customers, use the rest of the default options (we will make changes later, and hit Review + create.
Once the key vault has been deployed navigate to the resource. Copy the Vault URI down from the overview page and put it in a notepad. After, under the Objects blade select Secrets. Note: You only to copy the Vault URI if you plan to access the key vault via code. We will be referencing this value later, as an environment variable, in Part 3 of this series.
On the Secrets blade select + Generate/Import. Your secrets will show up here after they have been created.
Add a secret value by giving it a name to reference, then enter the actual value you want to call, set an expiration date, and hit Create. In real-world scenarios, this is a good place to add configurations or connection parameters. Another tip from experience, is not adding environment prefixes or suffixes to secret names (i.e. ‘medium-token-dev’) as this will create extra work for you in the CICD process.
You can view your secret details by selecting the newly created secret back on the key vault secrets blade. I chose ‘This is a test!’ for the secret value and ‘medium-token’ for the name, which we will be referencing later.
Salute! After this, you should be able to successfully create and store values in an Azure Key Vault.
Follow me on here if you like what I’m writing or ping me on LinkedIn, feedback is always welcome.
NEXT UP…
If you are using the Interactive Browser Credential (browser pop-up and login) to authenticate programmatically to Azure or want to know what that is, you can skip to Part 3 of this series. Otherwise, buckle up because I will demonstrate how to create and grant permissions to several identities in Part 2.
