Introduction: All my articles are compiled into simple steps with detailed screen shots and elaborative description. By following these steps even, a novice programmer should be able to replicate scenario. Please go through the steps and provide your valuable feedback to make my next articles more clearer and intent.
Note: I took help of various internet sources while researching this item. Credit goes to internet and Microsoft communities.
This is my 7th article on Azure.
Please follow below links for my previous Azure articles
Follow below mentioned 24 steps to Understand Azure Key vault creation and access
After completing this blog, you will be able to do
- Set up Azure Key vault and secrets
- Read value from Key vault using Logic App
- Microsoft Identity and its services
Sample Description: We are going to create a secret key using Azure Key vault and read its value by using Logic App
Step 1: Open Azure portal (https://portal.azure.com)
Step 2: Create New Azure Key Vault. Click on Create Resource > Search for Key Vault and Click on Create
What is Key vault: Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys (From Microsoft).
Instead of using config files to store keys, we can use Azure key vaults. These are dynamic, secure and much controllable.
Step 3: We can store keys in key vault by using 3 ways – (a) Keys (b) secrets (c) certificates
In this article we are going to see how to create and share information by using secrets. We will also go through Access Policies.
Access Policies – Will allow key vault to provide and control its access to other applications like logic app, data factory, etc
Step 4: Go to the Key vault we created and Click on Secrets> Generate/Import button to create a new secret key
Step 5: In this step we will create a new logic app. This logic app will read the secret key from key vault in next step.
Click on Create Resource, search for Logic app to create a new logic app.
To know more about logic apps, please click on Link
Step 6: Go to the logic app we created earlier and select new Blank app, app designer will be launched
Select Request and select “When a http request is received” trigger
Step 7: After adding 1st step as mentioned above, now click on next step> search with key word “key vault”> Select Azure Key Vault
Step 8: Select Get Secret action from the list
Step 9: Give the key vault name we created earlier and click on sign in. It will ask you to authentication.
Step 10: Once the authentication completed, it will give access to the keys, secrets and certificates we created with in the key vault. Select the secret key name we created to read the value.
Step 11: Save your Logic app and run. This logic app will access the secret key we created and fetches the key value
You can see the value “srinivasmateti” has been pulled from the secret key. But displaying secret keys on screen is not secure. We need to perform below steps to make it more secure.
Step 12: Click on 3 dots against to the 2nd step of logic app and click on settings
Step 13: Enable Secure Outputs from the list and save
Step 14: Now save your logic app and run. You will receive below error. To fix this issue, we need to perform below steps from key vault side
Step 15: Now we need to create a access policy in key vault to provide access to this logic app.
Before creating an access policy, we need to enable identity for Logic. This will allow Key vault to access logic app and provide access
Step 16: Go to Key vault> Click on Access Policies > Add Access Policy
Step 17: Expand key permissions drop down and select the required options. Here I am selecting Get & List because I need to perform read option.
Step 18: Click on Select Principal > Search for the logic app and select
Step 19: And click on Add. It will create a new access policy to provide access to Logic app. Do not forget to click on final save
Step 20: Go to Logic app designer, delete 2nd step. Now we are going to access secret key in more secured way. By using Managed Identity Logic app will make an api call and get the key value
Add a new step > select Http Action from the list
Step 21: Go to Secret we created and grab the secret identifier from text box
Step 22: Below is the secret key we copied from text box
“https://mnewkeyvault.vault.azure.net/secrets/msecretkey/940b5fdb90e845618a67920c554a39ad “
Modify the above key. Remove content after msecretkey(it will give access to the specific key we created). The above is a URL and our logic app is going to make a web api call. To retrieve latest active key change the url as below
“https://mnewkeyvault.vault.azure.net/secrets/msecretkey?api-version=7.0 “
Step 23: We need to authenticate. Add a new parameter, select authentication and select Managed Identity as value. Also set audience value to “https://vault.axure.net “
We are going to authenticate this call by using Managed Identity
Step 24: Save Logic App and Run
In above step, logic app made an api call to Secret value using Managed Identity and get the value as response body. In general development mode, by using Managed Identity only we will retrieve the value from key vault.
In next articles we will see more dot net samples which deals with key vaults
Happy Coding!!
8 thoughts on “Azure Key Vault and its Usage by using Logic App”