Accessing secrets in Azure Key Vault using Java libraries

Tools and methods for managing digital authentication credentials are referred to as Secrets management. This includes passwords, keys, APIs, and tokens for use in applications, services and privileged accounts. The terms “secrets” and “secrets management” are referred to more commonly in IT with regard to DevOps environments, tools, and processes. Every application, script, automation tool and other non-human identity relies on some form of privileged credential to access other tools, applications and data. Improper management of these secrets exposes your application to vulnerabilities like the ones due to bad programming practices or bugs.

What is a Secret?

The secret is a digital authentication credential. Secrets are individually named sets of sensitive information and address a broad spectrum of secure data. Secrets are basically any piece of data that you want to restrict and fully control access to. The secret is not necessarily related to the data but rather to accessing data.

Some of the most common types of secrets include:

1. Privileged account credentials
2. Passwords
3. Certificates
4. SSH
5. API keys
6. Encryption keys

It’s easy to lose track of many types of secrets used in many contexts or apply them consistently across the enterprise. That’s where Secret management comes in.

What is Secrets Management?

Secrets management is used to securely store, transmit, and audit secrets. It is a set of tools and techniques that grant confidentiality for your sensitive information. It assures that resources can only be accessed by authenticated and authorized entities. Secrets management must account for and mitigate the risks to these secrets, both in transit and at rest as they must be transmitted securely.

Secret Management using Azure Key Vault

Azure Key Vault is a cloud service that provides secure storage for secrets, such as passwords and database connection strings. The Azure Key Vault Secrets client library allows you to securely store and tightly control access to tokens, passwords, API keys, and other secrets. This library offers operations to create, retrieve, update, delete, purge, backup, restore, and list the secrets and their versions.

Prerequisite

1. An Azure subscription.
2. Java Development Kit (JDK) version 8 or above.
3. Apache Maven.
4. Azure CLI.

Required Maven dependencies

Add the following dependency in your POM.xml file under the dependency section.

  <dependency>
        <groupId>com.azure</groupId>
        <artifactId>azure-security-keyvault-secrets</artifactId>
        <version>4.2.3</version>
  </dependency>
  <dependency>
        <groupId>com.azure</groupId>
        <artifactId>azure-identity</artifactId>
        <version>1.7.0</version>
  </dependency>
  <dependency>
        <groupId>com.fasterxml.jackson.core</groupId>
        <artifactId>jackson-core</artifactId>
        <version>2.14.0</version>
  </dependency>

Set environment variables

Set the environment variables for the key vault name as below. Open the command prompt and execute the below command

set KEY_VAULT_NAME=<your-key-vault-name>
set AZURE_CLIENT_ID=<your-azure-client-id>
set AZURE_CLIENT_SECRET=<your-azure-client-secret>
set AZURE_TENANT_ID=<your-azure-tenant-id>

Credentials

A credential is a class that contains or can obtain the data needed for a service client to authenticate requests. Service clients across the Azure SDK accept credentials when they’re constructed. The service clients use those credentials to authenticate requests to the service.

Authenticate Azure-hosted applications.

1. DefaultAzureCredential: Provides a simplified authentication experience to quickly start developing applications running in Azure.
2. ChainedTokenCredential: Allows users to define custom authentication flows composing multiple credentials.
3. EnvironmentCredential: Authenticates a service principal or user via credential information specified in environment variables.
4. ManagedIdentityCredential: Authenticates the managed identity of an Azure resource.

The “DefaultAzureCredential” is appropriate for most scenarios where the application is intended to ultimately be run in Azure. This is because the “DefaultAzureCredential” combines credentials commonly used to authenticate when deployed, with credentials used to authenticate in a development environment.

Secrets Management Class.

The secrets management java class has four different methods to interact with azure key vaults.

1. “secretBuilder”.
2. “setSecret“.
3. “getSecret“.
4. “deleteSecret“.

Secret Builder Method.

The Secret Builder method is used to authenticate the connection with the Azure Key Vault. It accepts an argument Key Vault name.

1. The method generates the Key Vault URL using the key vault name.
2. “secretClientBuilder” class is used to authenticate to the azure key vault.
3. Three methods present in the “secretclientbuilder” class such as “vaultUrl”, “credential” and “buildcontent” methods are used to authenticate to the azure key vault.
4. DefaultAzureCredentialBuilder class is used to authenticate the azure key vault.
5. DefaultAzureCredentialBuilder class uses AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_TENANT_ID configured in the Azure portal for the Azure key vault.
6. Values of AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_TENANT_ID are fetched from system environment variables for successful authentication.

Set Secret Method.

The “setSecret” method creates the secret in the azure key vault. It accepts an argument Key vault name, secret name and secret value.

1. The method creates the secret using the arguments such as Key vault name, secret name and secret value.
2. The “setSecret” method used the instance of the “keyVaultSecret” class to create the secret in the azure key vault.

Get Secret Method.

The “getSecret” method is used to fetch the secret present in the azure key vault. It accepts an argument Key vault name and secret name.

1. The method fetches the secret using the arguments such as Key vault name and secret name.
2. The method fetches the secret of type “KeyVaultSecret“.
3. The secret of type “KeyVaultSecret” is converted to a string using “retrievedSecret.getValue()”.
4. The method returns the secret in the string format.

Delete Secret Method.

The “deleteSecret” method is used to delete the secret present in the azure key vault. It accepts an argument Key vault name and secret name.

1. The method deletes the secret using the arguments such as Key vault name and secret name.
2. The method uses “beginDeleteSecret” to delete the secret.
3. “SyncPoller” is used to wait for the completion of the deletion process.
4. “deletionPoller.waitForCompletion()” is used to achieve this.

Conclusion

That’s it, these are the steps which need to be performed to fetch the secrets from Azure Key Vault using Java libraries.

About the Author:
Rajeev Kalal is a Test Automation Consultant here at Version 1.