Introduction:
Azure Key Vault
Azure Key Vault is a cloud service provided by Microsoft Azure that allows you to securely manage and store sensitive information such as secrets, keys, and certificates. It has the following features for data security
Secrets Management – Key Vault enables you to store and retrieve secrets (such as connection strings, API keys, or passwords) securely, secrets are encrypted at rest and in transit, providing an additional layer of protection.
Key Management – You can create and manage cryptographic keys within Key Vault, these keys can be used for encryption, decryption, and signing operations.
Certificate Management – Key Vault supports the storage and management of X.509 certificates, and you can import, create, and renew certificates directly from the service.
Access Control or RBAC – Key Vault allows fine-grained access control through access policies or RBAC (Role-back access control), you can grant permissions to specific users, and applications.
Integration with Azure Services – Key Vault seamlessly integrates with other Azure services, such as Azure Functions, Azure App Service, and Azure Logic Apps, applications can securely retrieve secrets and keys from Key Vault during runtime.
Managed Identity
Azure Managed Identity is a service offered by Microsoft Azure that simplifies the process of managing credentials and secrets needed for cloud applications. It handles the complexity of cloud environments and the necessity to secure sensitive information. Azure Managed Identity provides a streamlined and secure way to manage identity.
Features & Benefits
Simplified Credential Management & Enhanced Security – Azure Managed Identity eliminates the need for developers to manage credentials through their source code. It provides a system-assigned or user-assigned identity to applications, which can be used to authenticate to any service that supports Microsoft Entra ID authentication.
Seamless Integration: Managed identities integrate seamlessly with a wide range of Azure services, such as Azure Key Vault, Azure App Services, Azure Storage, and more. This integration ensures that applications can easily authenticate and access these services using their managed identities.
Cost Efficiency: Azure Managed Identity is provided at no additional cost.
Improved Compliance: Using managed identities helps organizations comply with security best practices and regulatory requirements. By avoiding managing the hardcoded credentials and implementing automatic rotation of the secret keys, organizations can achieve higher levels of compliance with industry standards and regulations.
Configure Managed Identity with Azure Web App and Key Vault
For the demo, I deployed the ASP.NET Core application in Azure Web App. Now, let’s configure the Identity.
Login to Azure Portal as an admin
Navigate to your Web app select Identity from the setting section, and enable the system-assigned Identity as shown in the below figure.
Next, click on Azure Role Assignment, add the role assignment and the key vault and its role as shown in the below figure
I have selected the Role of “Key Vault Secrets User”, which allows the Azure Web app to read the secrets from the Azure key vault in a secure way
Managed Identity Integration
You can use managed identities (system-assigned or user-assigned) to authenticate your applications with Key Vault, which eliminates the need to manage Entra ID application client credentials within your code.
I have written a detailed explanation about the Azure key vault integration with the ASP.NET Core application and implementing an RBAC approach to access and retrieve a secret from Azure Key Vault with the help of a service principal from On-prem hosted ASP.NET Core web application.
In this article, I’m going to discuss the Managed Identity feature and benefits for the Cloud-based application. Instead of On-Premise now I have hosted my ASP.NET Core application as a Web APP service in Azure, with a complete cloud-based application we can leverage the Managed Identity feature of Azure App Services and key vault to establish the seamless service connection without the service principal and sharing the client secret across the application code
Configure Managed Identity in ASP.NET Core Web Application
With Azure Key Vault .NET SDK, two lines of code will help to integrate it with the Application using Managed Identity.
Program.cs
if (builder.Environment.IsProduction())
{
// Add Key Vault secret
Uri keyVaultUri = new Uri("[Your key vault end point]”);
builder.Configuration.AddAzureKeyVault(keyVaultUri, new ManagedIdentityCredential());
}DefaultAzureCredential or ManagedIdentityCredential can be used to configure the Managed Identity authentication in the code.
The token caching is enabled by default
To read a key vault secret “HomeController.cs”
private readonly ILogger<HomeController> _logger;
private readonly IConfiguration _configuration;
public HomeController(ILogger<HomeController> logger, IConfigurationconfiguration)
{
_logger = logger;
_configuration = configuration;
}
public IActionResult Index()
{
ViewData["keyVaultTest"] = _configuration["Secret"] ??"Hello from Actions";
return View();
}Inject the IConfiguration to read the secret information based on key
Home/Index.cshtml
<h3>@ViewData["keyVaultTest"] </h3>Deploy your app using an Azure web app service.
“Iam Secret” is an Azure Key Vault secret
Summary
We have seen the integration of Azure Key Vault with Managed Identity in an Azure web app service. We begin with an introduction to Azure Key Vault, a cloud service for securely storing and accessing secrets, keys, and certificates. Finally, we have seen the Managed Identity, that provides an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra ID authentication.
