Azure Key Vault backend integration for Hashicorp Vault
Hashicorp Vault is a wonderful solution for storing and controlling access to tokens and credentials, RBAC, and all-things authentication, authorization, and secrets-related in an organization. We, at Anjuna, love Vault for its usability and the wide range of functions it offers.
Vault is flexible in terms of the actual storage of secrets and keys. It offers built-in storage options (in-memory and on-disk) but also integrates with multiple third-party solutions such as cryptographic modules with a PKCS#11 API (such as HSMs), databases such as MySQL, and PostgresSQL, Zookeeper, and cloud storage such as AWS S3 buckets or Azure Storage Containers.
Cloud providers such as Microsoft Azure and Amazon AWS have also been offering secrets management solutions that enable users to store their secrets and keys. In particular, Microsoft developed the Azure Key Vault that is accessible through Rest API and enables controlling access to secrets through Active Directory roles and permissions.
At Anjuna, we have been recently looking into providing the option of storing secrets in Azure Key Vault (AKV) while using Hashicorp Vault as an operational frontend. The advantage is that the user can apply additional policies to access secrets using Vault’s policy engine and mix and match key storage options. It is also useful for hybrid cloud deployments where the organization may want to manage everything on-prem using Vault while also enabling storing precious secrets in Azure Key Vault, taking advantage of its reliability, backup, and disaster recovery that come along with Microsoft’s cloud. Unfortunately, the only integration we could find between Hashicorp Vault and Azure Key Vault was for unsealing Vault, but not for using Azure Key Vault as a storage backend. Luckily, Hashicorp Vault has a flexible plugin architecture. We developed the vault-akv-plugin and open-sourced it on Github.
How to use Anjuna’s Vault AKV plugin with Hashicorp Vault
This part assumes you have Hashicorp Vault installed and running, and that the
vault
command is in yourPATH
environment.
Make sure you have the Azure CLI installed. On Ubuntu Linux, this can be done by running
# apt install az
or directly from Microsoft’s website, by running
$ curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
On a MacOS, you can use Homebrew, running
$ brew install az
Once installed, you need to run
$ az login
to log into Azure and enable further access to Azure Key Vault by the plugin.
To start using the AKV storage backend plugin with Vault, first clone the source code from Anjuna’s Github repository:
$ git clone https://github.com/anjuna-security/vault-akv-plugin.git
Then, go to the source directory, and build the plugin:
$ cd vault-akv-plugin
$ make
Next, let’s try to run a Vault server in dev
mode to test the plugin:
$ export VAULT_ADDR='http://127.0.0.1:8200'
$ make enable
To write a secret to your Azure Key Vault, execute
$ vault write azure-key-vault/<keyvault-name> hello="world"
where <keyvault-name>
is the name of the Key Vault you’ve set up in the Azure account you’re logged in to.
Note that under the
terraform
directory you can find a Terraform script to set up a Key Vault for testing purposes. Simply run
$ terraform apply
$ terraform init
in the
terraform
directory, and you’ll have a Key Vault ready to go in a minute.
For any questions or issues, you’re welcome to reach us through our website www.anjuna.io/contact-us, or through support@anjuna.io. We’d also love you to learn more about our solutions for using Secure Enclaves, a new technology that enables protecting the most sensitive data and workloads. Check out www.anjuna.io and reach out to us if you’d like to learn more.