HashiCorp Developer AI Private beta now available Sign up today
Vault
Vault Home

Setup guide - Azure Key Vault

To manage the lifecycle of the Azure Key Vault keys, you need to setup the key management secrets engine using azurekeyvault provider.

Setup

  1. Enable the key management secrets engine.

    $ vault secrets enable keymgmt
Success! Enabled the keymgmt secrets engine at: keymgmt/

  2. Configure a KMS provider resource named, example-kms.

    $ vault write keymgmt/kms/example-kms \
    provider="azurekeyvault" \
    key_collection="keyvault-name" \
    credentials=client_id="a0454cd1-e28e-405e-bc50-7477fa8a00b7" \
    credentials=client_secret="eR%HizuCVEpAKgeaUEx" \
    credentials=tenant_id="cd4bf224-d114-4f96-9bbc-b8f45751c43f"

    The command specified the following:

    • The full path to this KMS provider instance in Vault (keymgmt/kms/example-kms).
    • A key collection, which corresponds to the name of the key vault instance in Azure.
    • The KMS provider is set to azurekeyvault.
    • Azure client ID credential, that can also be specified with AZURE_CLIENT_ID environment variable.
    • Azure client secret credential, that can also be specified with AZURE_CLIENT_SECRET environment variable.
    • Azure tenant ID credential, that can also be specified with AZURE_TENANT_ID environment variable.

API documentation

Refer to the Azure Key Vault API documentation for a detailed description of individual configuration parameters.

Usage

  1. Write a pair of RSA-2048 keys to the secrets engine. The following command will write a new key of type rsa-2048 to the path keymgmt/key/rsa-1. 

    $ vault write keymgmt/key/rsa-1 type="rsa-2048"
Success! Data written to: keymgmt/key/rsa-1

    The key management secrets engine currently supports generation of the key types specified in Key Types.

    Based on the Compatibility section of the documentation, Azure Key Vault currently supports use of RSA-2048, RSA-3072, and RSA-4096 key types.

  2. Read the rsa-1 key you created. Use JSON as the output and pipe that into jq.

    $ vault read -format=json keymgmt/key/rsa-1 | jq

  3. To use the keys you wrote, you must distribute them to the key vault. Distribute the rsa-1 key to the key vault at the path keymgmt/kms/example-kms/key/rsa-1.

    $ vault write keymgmt/kms/example-kms/key/rsa-1 \
    purpose="encrypt,decrypt" \
    protection="hsm"

    Here you are instructing Vault to distribute the key and specify that its purpose is only to encrypt and decrypt. The protection type is dependent on the cloud provider and the value is either hsm or software. In the case of Azure, you specify hsm for the protection type. The key will be securely delivered to the key vault instance according to the Azure Bring Your Own Key (BYOK) specification.

  4. You can list the keys that have been distributed to the Azure Key Vault instance.

    $ vault list keymgmt/kms/keyvault/key/
Keys
----
rsa-1

  5. Rotate the rsa-1 key.

    $ vault write -f keymgmt/key/rsa-1/rotate
Success! Data written to: keymgmt/key/rsa-1/rotate

  6. Confirm successful key rotation by reading the key, and getting the value of .data.latest_version.

    $  vault read -format=json keymgmt/key/rsa-1 | jq '.data.latest_version'
2

Azure private link

The secrets engine can be configured to communicate with Azure Key Vault instances using Azure Private Endpoints. Follow the guide at Integrate Key Vault with Azure Private Link to set up a Private Endpoint for your target Key Vault instance in Azure. The Private Endpoint must be network reachable by Vault. This means Vault needs to be running in the same virtual network or a peered virtual network to properly resolve the Key Vault domain name to the Private Endpoint IP address.

The Private Endpoint configuration relies on a correct Azure Private DNS integration. From the host that Vault is running on, follow the steps in Validate that the private link connection works to ensure that the Key Vault domain name resolves to the Private Endpoint IP address you've configured.

$ nslookup <keyvault-name>.vault.azure.net

Non-authoritative answer:
Name:
Address:  10.0.2.5 (private IP address)
Aliases:  <keyvault-name>.vault.azure.net
          <keyvault-name>.privatelink.vaultcore.azure.net

The secrets engine doesn't require special configuration to communicate with a Key Vault instance over an Azure Private Endpoint. For example, the given KMS configuration will result in the secrets engine resolving a Key Vault domain name of keyvault-name.vault.azure.net to the Private Endpoint IP address. Note that it's possible to change the Key Vault DNS suffix using the environment configuration parameter or AZURE_ENVIRONMENT environment variable.

Terraform example

If you are familiar with Terraform, you can use it to deploy the necessary Azure infrastructure.

provider "azuread" {
  version = "=0.11.0"
}

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy = true
    }
  }
}

resource "random_id" "app_rg_name" {
  byte_length = 3
}

resource "random_id" "keyvault_name" {
  byte_length = 3
}

data "azurerm_client_config" "current" {}

resource "azuread_application" "key_vault_app" {
  name                       = "app-${random_id.app_rg_name.hex}"
  homepage                   = "http://homepage${random_id.app_rg_name.b64_url}"
  identifier_uris            = ["http://uri${random_id.app_rg_name.b64_url}"]
  reply_urls                 = ["http://replyur${random_id.app_rg_name.b64_url}"]
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = true
}

resource "azuread_service_principal" "key_vault_sp" {
  application_id               = azuread_application.key_vault_app.application_id
  app_role_assignment_required = false
}

resource "random_password" "password" {
  length           = 24
  special          = true
  override_special = "%@"
}

resource "azuread_service_principal_password" "key_vault_sp_pwd" {
  service_principal_id = azuread_service_principal.key_vault_sp.id
  value                = random_password.password.result
  end_date             = "2099-01-01T01:02:03Z"
}

resource "azurerm_resource_group" "key_vault_rg" {
  name     = "learn-rg-${random_id.app_rg_name.hex}"
  location = "West US"
}

resource "azurerm_key_vault" "key_vault_kv" {
  name                = "learn-keyvault-${random_id.keyvault_name.hex}"
  location            = azurerm_resource_group.key_vault_rg.location
  resource_group_name = azurerm_resource_group.key_vault_rg.name
  sku_name            = "premium"
  soft_delete_enabled = true
  tenant_id           = data.azurerm_client_config.current.tenant_id

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id
    key_permissions = [
      "backup",
      "create",
      "decrypt",
      "delete",
      "encrypt",
      "get",
      "import",
      "list",
      "purge",
      "recover",
      "restore",
      "sign",
      "unwrapKey",
      "update",
      "verify",
      "wrapKey"
    ]
  }

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = azuread_service_principal.key_vault_sp.object_id
    key_permissions = [
      "create",
      "delete",
      "get",
      "import",
      "update"
    ]
  }
}

output "key_vault_1_name" {
  value = azurerm_key_vault.key_vault_kv.name
}

output "tenant_id" {
  value = data.azurerm_client_config.current.tenant_id
}

output "client_id" {
  value = azuread_application.key_vault_app.application_id
}

output "client_secret" {
  value = azuread_service_principal_password.key_vault_sp_pwd.value
}
Edit this page on GitHub