Sunday, January 12, 2020

How awesome is Azure Key Vault

Earlier I wrote an article on having Azure Key Vault and App Configuration together. I have been using it for a while. But in this article I will write specifics on the Azure Key Vault. Azure Key Vault is the central hub for storing secrets, keys and certificates. 

Imagine a scenario where you have a bunch of configuration keys need to go with your application. You do not need the developers to know about these key values that runs on production. Well you can simply have a Key Vault setup to do that. 

The beauty is that developers will be using appsettings.json file for using the keys specific to development machines and you can setup the production server and the UAT server to pick from the key vault. 

Azure administrator will be setting the values as in your code, you will only set the key vault url. That can be setup as a configuration. 

A big question that may come to you is what is the purpose if the url is stored in app configuration file. Though that url is set in the app config, the developers cannot access that. The authentication to the production App Service or the Kubernetes Cluster happen via an Azure Managed Identity. That way, the production servers can access production Key Vault and UAT servers can access UAT Key vault. 

Now what does Key Vault support? 

1. Keys - You can store or import RSA or EC type keys.
2. Certificates - Imagine you need a certificate to access an endpoint on a specific service. You can store that here. 
3. Secrets - The application secrets as key and value pairs.

There are some cool features above what is just there. 

1. You can set activation and expiration. Key vault items can be set to last a specific period with this. 
2. You can restore a previous version. Imagine if you mistakenly changed a specific version, the previous ones are available right there. 
3. Download backups. You can download a backup, and it is encrypted and can ONLY be restored to a key vault within that specific subscription. 

I am planning to do a video on the setup. Stay tuned.

No comments:

Post a Comment