Azure Key Vault - Josh Ogden's Wiki

#Azure #Security #KeyVault #Encryption #Identity >[!info] Azure Key Vault Overview >Azure Key Vault is a cloud service for securely storing and accessing secrets, encryption keys, and certificates. It provides centralized secret management with access control and logging capabilities. >[!related] >Related Azure services: >- [[RBAC and ABAC]] - Access control implementation >- [[App Registration]] - Application identity setup >- [[Azure RMS]] - Rights Management Services >- [[Full Encryption implementation]] - Enterprise encryption strategy ## Key Features ### 1. Secret Management - Store API keys, passwords, connection strings - Version control for secrets - Automatic secret rotation - Secure secret retrieval ### 2. Key Management - Create and control encryption keys - Import existing keys - Store symmetric and asymmetric keys - Hardware Security Module (HSM) backing ### 3. Certificate Management - Store SSL/TLS certificates - Automatic certificate renewal - Integration with Azure certificate authorities - Certificate lifecycle management ## Security Features >[!warning] Access Control >1. **Azure AD Integration** > - Authentication via Azure AD identities > - Support for managed identities > - Multi-factor authentication > >2. **RBAC Policies** > - Granular access control > - Custom role definitions > - Separation of duties >[!tip] Best Practices >1. **Network Security** > - Use Private Endpoints > - Implement network isolation > - Enable Firewall rules > >2. **Monitoring** > - Enable diagnostic logging > - Set up alerts > - Regular access reviews ## Implementation Guide ### 1. Create Key Vault ```powershell # Install Azure PowerShell module if needed Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force # Login to Azure Connect-AzAccount # Create Resource Group (if needed) $resourceGroup = "YourResourceGroup" $location = "eastus" New-AzResourceGroup -Name $resourceGroup -Location $location # Create Key Vault $vaultName = "YourKeyVaultName" New-AzKeyVault -Name $vaultName ` -ResourceGroupName $resourceGroup ` -Location $location ` -EnableRbacAuthorization ` -EnablePurgeProtection ` -SoftDeleteRetentionInDays 90 ``` ### 2. Configure Access Policies ```powershell # Assign RBAC roles $objectId = (Get-AzADUser -UserPrincipalName "[email protected]").Id # Key Vault Administrator New-AzRoleAssignment -ObjectId $objectId ` -RoleDefinitionName "Key Vault Administrator" ` -Scope "/subscriptions/{SubID}/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$vaultName" # Key Vault Secrets Officer New-AzRoleAssignment -ObjectId $objectId ` -RoleDefinitionName "Key Vault Secrets Officer" ` -Scope "/subscriptions/{SubID}/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$vaultName" ``` ### 3. Store and Retrieve Secrets ```powershell # Store a secret $secretvalue = ConvertTo-SecureString "YourSecretValue" -AsPlainText -Force Set-AzKeyVaultSecret -VaultName $vaultName ` -Name "SecretName" ` -SecretValue $secretvalue # Retrieve a secret $secret = Get-AzKeyVaultSecret -VaultName $vaultName -Name "SecretName" $secretValueText = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto( [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secret.SecretValue) ) ``` ### 4. Manage Certificates ```powershell # Import a certificate $certPath = "path/to/your/cert.pfx" $certPassword = ConvertTo-SecureString -String "YourCertPassword" -AsPlainText -Force Import-AzKeyVaultCertificate -VaultName $vaultName ` -Name "CertName" ` -FilePath $certPath ` -Password $certPassword # Get certificate $cert = Get-AzKeyVaultCertificate -VaultName $vaultName -Name "CertName" ``` ## Security Considerations >[!danger] Critical Security Guidelines >1. **Access Management** > - Use managed identities when possible > - Implement least-privilege access > - Regular access reviews > >2. **Network Security** > - Enable Azure Private Link > - Restrict network access > - Use service endpoints > >3. **Monitoring and Auditing** > - Enable diagnostic logging > - Configure alerts > - Regular compliance reviews > >4. **Backup and Recovery** > - Enable soft-delete > - Configure purge protection > - Regular backup validation ## Integration Examples ### 1. Azure Functions Integration ```powershell # Add Key Vault reference to Function App $functionAppName = "YourFunctionApp" $keyVaultUri = (Get-AzKeyVault -Name $vaultName).VaultUri Update-AzFunctionApp -Name $functionAppName ` -ResourceGroupName $resourceGroup ` -IdentityType SystemAssigned # Grant Function App access to Key Vault $functionAppIdentity = (Get-AzFunctionApp -Name $functionAppName -ResourceGroupName $resourceGroup).Identity.PrincipalId New-AzRoleAssignment -ObjectId $functionAppIdentity ` -RoleDefinitionName "Key Vault Secrets User" ` -Scope "/subscriptions/{SubID}/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$vaultName" ``` ### 2. App Service Integration ```powershell # Enable managed identity for App Service $webAppName = "YourWebApp" Set-AzWebApp -Name $webAppName ` -ResourceGroupName $resourceGroup ` -AssignIdentity $true # Grant App Service access to Key Vault $webAppIdentity = (Get-AzWebApp -Name $webAppName -ResourceGroupName $resourceGroup).Identity.PrincipalId New-AzRoleAssignment -ObjectId $webAppIdentity ` -RoleDefinitionName "Key Vault Secrets User" ` -Scope "/subscriptions/{SubID}/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$vaultName" ``` >[!tip] Best Practices for Integration >1. Always use managed identities >2. Implement proper error handling >3. Cache secrets when appropriate >4. Monitor secret access patterns >5. Implement secret rotation >6. Use appropriate secret scopes ## Troubleshooting >[!example] Common Issues and Solutions >1. **Access Denied** > - Verify RBAC assignments > - Check network restrictions > - Validate managed identity > >2. **Certificate Issues** > - Verify certificate format > - Check expiration dates > - Validate private key > >3. **Performance Issues** > - Implement caching > - Use bulk operations > - Monitor throttling limits