Azure Key Vault Overview
Azure Key Vault is a cloud service for securely storing and accessing secrets, encryption keys, and certificates. It provides centralized secret management with access control and logging capabilities.
Key Features
1. Secret Management
- Store API keys, passwords, connection strings
- Version control for secrets
- Automatic secret rotation
- Secure secret retrieval
2. Key Management
- Create and control encryption keys
- Import existing keys
- Store symmetric and asymmetric keys
- Hardware Security Module (HSM) backing
3. Certificate Management
- Store SSL/TLS certificates
- Automatic certificate renewal
- Integration with Azure certificate authorities
- Certificate lifecycle management
Security Features
Access Control
1. Azure AD Integration
- Authentication via Azure AD identities
- Support for managed identities
- Multi-factor authentication
2. RBAC Policies
- Granular access control
- Custom role definitions
- Separation of duties
Best Practices
1. Network Security
- Use Private Endpoints
- Implement network isolation
- Enable Firewall rules
2. Monitoring
- Enable diagnostic logging
- Set up alerts
- Regular access reviews
Implementation Guide
1. Create Key Vault
powershell
# Install Azure PowerShell module if needed
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
# Login to Azure
Connect-AzAccount
# Create Resource Group (if needed)
$resourceGroup = "YourResourceGroup"
$location = "eastus"
New-AzResourceGroup -Name $resourceGroup -Location $location
# Create Key Vault
$vaultName = "YourKeyVaultName"
New-AzKeyVault -Name $vaultName `
-ResourceGroupName $resourceGroup `
-Location $location `
-EnableRbacAuthorization `
-EnablePurgeProtection `
-SoftDeleteRetentionInDays 902. Configure Access Policies
powershell
# Assign RBAC roles
$objectId = (Get-AzADUser -UserPrincipalName "user@domain.com").Id
# Key Vault Administrator
New-AzRoleAssignment -ObjectId $objectId `
-RoleDefinitionName "Key Vault Administrator" `
-Scope "/subscriptions/{SubID}/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$vaultName"
# Key Vault Secrets Officer
New-AzRoleAssignment -ObjectId $objectId `
-RoleDefinitionName "Key Vault Secrets Officer" `
-Scope "/subscriptions/{SubID}/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$vaultName"3. Store and Retrieve Secrets
powershell
# Store a secret
$secretvalue = ConvertTo-SecureString "YourSecretValue" -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $vaultName `
-Name "SecretName" `
-SecretValue $secretvalue
# Retrieve a secret
$secret = Get-AzKeyVaultSecret -VaultName $vaultName -Name "SecretName"
$secretValueText = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto(
[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secret.SecretValue)
)4. Manage Certificates
powershell
# Import a certificate
$certPath = "path/to/your/cert.pfx"
$certPassword = ConvertTo-SecureString -String "YourCertPassword" -AsPlainText -Force
Import-AzKeyVaultCertificate -VaultName $vaultName `
-Name "CertName" `
-FilePath $certPath `
-Password $certPassword
# Get certificate
$cert = Get-AzKeyVaultCertificate -VaultName $vaultName -Name "CertName"Security Considerations
Critical Security Guidelines
1. Access Management
- Use managed identities when possible
- Implement least-privilege access
- Regular access reviews
2. Network Security
- Enable Azure Private Link
- Restrict network access
- Use service endpoints
3. Monitoring and Auditing
- Enable diagnostic logging
- Configure alerts
- Regular compliance reviews
4. Backup and Recovery
- Enable soft-delete
- Configure purge protection
- Regular backup validation
Integration Examples
1. Azure Functions Integration
powershell
# Add Key Vault reference to Function App
$functionAppName = "YourFunctionApp"
$keyVaultUri = (Get-AzKeyVault -Name $vaultName).VaultUri
Update-AzFunctionApp -Name $functionAppName `
-ResourceGroupName $resourceGroup `
-IdentityType SystemAssigned
# Grant Function App access to Key Vault
$functionAppIdentity = (Get-AzFunctionApp -Name $functionAppName -ResourceGroupName $resourceGroup).Identity.PrincipalId
New-AzRoleAssignment -ObjectId $functionAppIdentity `
-RoleDefinitionName "Key Vault Secrets User" `
-Scope "/subscriptions/{SubID}/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$vaultName"2. App Service Integration
powershell
# Enable managed identity for App Service
$webAppName = "YourWebApp"
Set-AzWebApp -Name $webAppName `
-ResourceGroupName $resourceGroup `
-AssignIdentity $true
# Grant App Service access to Key Vault
$webAppIdentity = (Get-AzWebApp -Name $webAppName -ResourceGroupName $resourceGroup).Identity.PrincipalId
New-AzRoleAssignment -ObjectId $webAppIdentity `
-RoleDefinitionName "Key Vault Secrets User" `
-Scope "/subscriptions/{SubID}/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$vaultName"Best Practices for Integration
- Always use managed identities
- Implement proper error handling
- Cache secrets when appropriate
- Monitor secret access patterns
- Implement secret rotation
- Use appropriate secret scopes
Troubleshooting
Common issues and their solutions when working with Azure Key Vault.
Access Denied
- Verify RBAC assignments
- Check network restrictions
- Validate managed identity
Certificate Issues
- Verify certificate format
- Check expiration dates
- Validate private key
Performance Issues
- Implement caching
- Use bulk operations
- Monitor throttling limits