Store key and secret in Azure key-vault - azure-keyvault

We want to store our AWS key and secret on azure key vault because our VM's are on the Azure cloud.
All we want is to keep the AWS secret and key in the Azure key-vault instead of setting them in the environment variable.
Then, we want to access them through the APIs in our code.
I am very new to the azure key vault and wanted to know if it's possible or not? A simple example/reference would help a lot.

It is possible, just store them in the azure keyvault and access them via the VM MSI(VM system-assigned managed identity).
Reference - Use a Windows VM system-assigned managed identity to access Azure Key Vault
Done the Prerequisites and grant the access for the MSI, in the VM, you can get the token and use the token to get the secret.
See the powershell sample below, you can also use other languages, the logic is the same, it depends on your requirement.
$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -Method GET -Headers #{Metadata="true"}
$content = $response.Content | ConvertFrom-Json
$KeyVaultToken = $content.access_token
(Invoke-WebRequest -Uri https://<your-key-vault-URL>/secrets/<secret-name>?api-version=2016-10-01 -Method GET -Headers #{Authorization="Bearer $KeyVaultToken"}).content
Response:
{"value":"p#ssw0rd!","id":"https://mytestkeyvault.vault.azure.net/secrets/MyTestSecret/7c2204c6093c4d859bc5b9eff8f29050","attributes":{"enabled":true,"created":1505088747,"updated":1505088747,"recoveryLevel":"Purgeable"}}
Update:
You need to add your VM MSI to the Access Policies of the keyvault.

Azure KeyVault has client libraries you can use to interact with KeyVault from your application.
For instance, these are the client libraries to interact with KeyVault Secrets in .NET, Java, Python and TypeScript
Here is how you can retrieve a secret from KeyVault using .NET:
// Environment variable with the Key Vault endpoint.
string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL");
// create the client to interact with the service
var client = new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential());
KeyVaultSecret secretWithValue = await client.GetSecretAsync("mySecret");
Console.WriteLine(secretWithValut.Value);
For more details, check out the samples page on the .NET repo.

Related

ClientID and ClientCredential management for a multi instance deployment

How do you manage clientId and clientCredentials of an OIDC(or OAuth2) application's deployment consisting of multiple instances fronted by let's say an L7 load balancer ?
Do you maintain separate clientId/clientCredential for each application instance ?
If yes, how do you manage clientId/clientCredentials for dynamically provisioned instance (E.g. Kubernetes/AWS adding a new application instance in response to a health check failure or a scale-out event)
If you share clientId/clientCredentials across multiple application instances,Isn't that violating the basic rule (i.e. 'secret' is no longer a secret anymore) ?
Also, Compromise of any individual instance by potential attackers, kind of impacts the entire deployment.
If you share clientId/clientCredentials across multiple application
instances,Isn't that violating the basic rule (i.e. 'secret' is no
longer a secret anymore)
Instead of using the secret, you can leverage the Hashicorp Vault which will store and inject the environment variable to the deployment. You can implement encryption at rest and other security options like RBAC on vault UI access.
Yes, secret is base64 encoded not encrypted if you have a large team managing a cluster and RBAC is not set everyone having access to the cluster will be able to decode the secret.
Read more about the has corp vault : https://www.vaultproject.io/
With Kubernetes : https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide?in=vault%2Fkubernetes
Once the vault is set and you have created the secret into it with values you can refer my answer for more details injecting the secret to deployment : https://stackoverflow.com/a/73046067/5525824

How can I use Azure Relay and MVC with auth and still view the Swagger documentation URL?

For context, I'm very new to writing services, using Azure Relay, and Swagger, but I'm on the right track.
I have legacy WCF services that I'm writing a proxy wrapper for with ASP MVC Core, then I'm using Azure Relay hybrid connection to expose them for use to avoid firewall things.
When I run my application, Swagger shows my API's and the relevant documentation:
I have created 2 hybrid relays in Azure. One that "Requires Client Authorization" and one that does not.
The code I'm using is pictured below to switch between (1) no AZ relay, (2) AZ relay with no auth, and (3) AZ relay with auth.
When I run using the Azure relay with no auth (2), I can see the API documentation:
When I run using the Azure relay with auth (3), I just get a token required.
I know how to call the API's w/a SAS token, but is it possible to somehow view/interact with the Swagger documentation??
How do I interact with the web-front of an API when the API (not documentation) itself needs to be secure?

disadvantages of storing secrets in Blob Storage

My current customer has secrets stored in Blob Storage and we want to propose them to migrate to KeyVault. May I know what are the benefits or storing secrets into KeyVault as compared to Blob?
When I read the documentation, KeyVault uses the HSM to protect the keys and secrets but Blob also uses the encryption which is also secure. so what are the other advantages?
I'd say that in general they look very similar, however I'd say the most important difference between the two would be the authorization model.
Access to a storage account is done by one of the two available connectionstrings/keys. Access to a KeyVault can be assigned directly to users or groups (from AAD) and the access to resources within the Key vault can be configured with more granularity. Next to that it is very easy to limit the type of resources from within azure that may or may not retrieve data from a KeyVault, reducing the attack service.
Storage accounts do have AAD integration currently in preview, but what i gather is that that is mostly focusing on the Azure file share functionality (https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview).
Another nice differentiation is definitely the integrations that are already available when using KeyVault (i.e. Retrieving Azure DevOps secrets directly from a KeyVault or automatically retrieving Certificates for VMs)
FYI, i'm by no means a KeyVault expert but that's just my 2 cents :)

Oauth authentication for Terraform user instead of specifiying secret / access keys

Is there a way I can specificy a OAUTH authentication for terraform to redirect for authenticating before creating resources on a particular cloud .
For eg : Instead of specifying Secret/Access keys in variables for TF_VAR value . I want terraform to redirect to a OAUTH client for authentication after and refer those credentials to carry out a API call to the AWS to create the resources mentioned in the TF file

sharing keys across owin self hosted processes

I'm trying to create a token server for a few selfhosted owin services (console applications)
However, this seems like its only possible if I host in IIS:
The data format used to protect the information contained in the access token. If not provided by the application the default data protection provider depends on the host server. The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted servers will use DPAPI data protection. If a different access token provider or format is assigned, a compatible instance must be assigned to the OAuthBearerAuthenticationOptions.AccessTokenProvider or OAuthBearerAuthenticationOptions.AccessTokenFormat property of the resource server. - MSDN
Is there any way to share keys across servers if I'm self hosting by sharing some kind of key in the app.config like how I can share a machine key via web.config? If not, that would mean the only option left is to implement my own AccessTokenProvider (assuming I still use the built in OAuth server and self host)?
I've found this answer, which gives an idea on how you can use machine key in self-hosted OWIN app. Please note that a reference to System.Web is required.
After adding MachineKeyProtectionProvider and MachineKeyDataProtector, I just add the protection provider as below.
//...
app.SetDataProtectionProvider(new MachineKeyProtectionProvider());
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active
});
app.UseWebApi(config);
The difficult moment for me here was that the order of initialization matters: UseWebApi should come after SetDataProtectionProvider
I've tried MachineKey protection to no avail under Self-Hosted Web API. What finally worked for me is to specify a DPAPI Protection Provider in both projects:
app.SetDataProtectionProvider(new DpapiDataProtectionProvider("myApp"));
HTH

Resources