Azure Key Vault Secrets

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is a string that can be anything you need to manage securely, such as API keys, passwords, certificates, or connection strings.

What are Secrets in Azure Key Vault?

Secrets in Azure Key Vault are essentially key-value pairs where the value is the secret data. Key Vault provides a centralized and secure location to manage these secrets, reducing the risk of them being exposed in code or configuration files.

Key Features of Key Vault Secrets:

• Secure Storage: Secrets are encrypted at rest and in transit.
• Access Control: Granular permissions can be defined using access policies or Azure RBAC.
• Auditing: All operations on secrets are logged for security and compliance.
• Rotation: Support for setting expiration dates and rolling over secrets.
• Managed Identity Integration: Applications can access secrets using their managed identity without needing explicit credentials.

Managing Secrets

You can manage secrets in Azure Key Vault through the Azure portal, Azure CLI, PowerShell, or the Key Vault REST API.

Creating a Secret

To create a secret, you typically provide a name and the secret value.

Example using Azure CLI:

az keyvault secret set --vault-name MyKeyVault --name MySecretName --value "MySuperSecretValue"
                

Retrieving a Secret

Retrieving a secret requires appropriate permissions and the name of the secret.

az keyvault secret show --vault-name MyKeyVault --name MySecretName --query value -o tsv
                

Deleting a Secret

Secrets can be deleted, and for enhanced security, Key Vault offers a soft-delete feature that allows recovery within a retention period.

az keyvault secret delete --vault-name MyKeyVault --name MySecretName
                

Accessing Secrets from Applications

Applications can securely access secrets stored in Key Vault. The recommended approach is to use Azure Managed Identities.

Using Managed Identities

When an Azure resource (like an App Service or Azure Function) is configured with a Managed Identity, it can be granted permissions to access Key Vault without managing credentials directly.

1. Enable Managed Identity for your Azure resource.
2. Grant the Managed Identity appropriate permissions (e.g., "Get" secret) on the Key Vault access policies.
3. In your application code, use the Azure SDKs to authenticate using the Managed Identity and retrieve secrets.

Example using .NET SDK:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

// ...

string vaultUri = "https://MyKeyVault.vault.azure.net/";
SecretClient client = new SecretClient(new Uri(vaultUri), new DefaultAzureCredential());

Response<KeyVaultSecret> secret = await client.GetSecretAsync("MySecretName");

Console.WriteLine($"Secret Value: {secret.Value.Value}");
                

Best Practices

• Do not hardcode secrets in your application code or configuration files.
• Use Key Vault to store all sensitive information.
• Implement the principle of least privilege for access policies.
• Regularly rotate secrets and set expiration dates.
• Enable soft-delete and purge protection for your Key Vault.
• Monitor Key Vault logs for suspicious activity.