Azure Key Vault
Azure Key Vault configuration reference for Veza Secrets Vaults
This reference guide provides detailed steps for configuring Azure Key Vault to support Veza's Secrets Vaults feature. For the complete setup process, see the main Secrets Vaults guide.
Overview
Azure Key Vault is Microsoft's cloud service for securely storing and accessing secrets. This guide covers the Azure-specific configuration requirements for integrating with Veza's Secrets Vaults feature.
Prerequisites
An Azure account with permission to create and manage Key Vaults
A Microsoft Azure subscription with Key Vault service enabled
Access to create and manage application credentials in Azure Active Directory
An external Insight Point deployed in your environment
Azure Key Vault setup
Create or configure Key Vault
Navigate to the Azure portal and search for "Key vaults".
Create a new Key Vault or select an existing one.
Ensure the Key Vault is accessible from your network where the Insight Point is deployed.
Note the Vault URI for your configuration.
This will be in the format:
https://your-vault-name.vault.azure.net/
Configure access control
Azure Key Vault supports two authorization models: Azure RBAC (recommended) and Access Policies (legacy). Microsoft recommends using Azure RBAC for new deployments.
Option 1: Azure RBAC (Recommended)
For new Key Vaults or those migrated to RBAC:
Ensure your Key Vault uses the RBAC permission model:
az keyvault update --name <vault-name> --resource-group <resource-group-name> --enable-rbac-authorization trueNavigate to your Key Vault resource.
Select Access control (IAM) from the left navigation.
Click + Add > Add role assignment.
Configure the role assignment:
Role: "Key Vault Secrets User" (for read access to secrets)
Assign access to: "User, group, or service principal"
Select: Choose the Azure AD application you created for Veza
Click Save to apply the role assignment.
Option 2: Access Policies (Legacy)
For existing Key Vaults using access policies:
Navigate to your Key Vault resource.
Select Access policies from the left navigation.
Click + Add Access Policy.
Configure the following permissions:
Secret permissions: Get, List
Select principal: Choose the Azure AD application you created for Veza
Authorized application: Leave blank unless using specific application restrictions
Click Add and then Save to apply the policy.
Note: Microsoft recommends migrating to Azure RBAC for improved security and management. See Microsoft's migration guide for details.
Azure Active Directory application setup
Set up Azure AD application
If you already have an Azure integration configured with Veza, you can use the existing app registration. Otherwise, follow the steps in the Azure integration guide to create an app registration.
For secrets vault access, your app registration needs Key Vault permissions. If you need to create a new app registration specifically for secrets vault access:
Navigate to Azure Active Directory > App registrations.
Click New registration.
Configure the application:
Name: "Veza Secrets Vault Access" (or your preferred name)
Supported account types: Single tenant (recommended)
Redirect URI: Leave blank for this use case
Click Register.
Record the following values from the Overview page:
Application (client) ID
Directory (tenant) ID
Generate client secret
From your application registration, navigate to Certificates & secrets.
Click New client secret.
Configure the secret:
Description: "Veza Insight Point Access"
Expires: Choose an appropriate expiration based on your security policies
Click Add.
Important: Copy the secret Value immediately.
This value will only be displayed once and cannot be retrieved later.
Verify permissions
Ensure your application has the necessary permissions:
Navigate to API permissions in your application registration.
Verify the application has appropriate Microsoft Graph permissions if needed for your environment.
If using managed identities, ensure the identity has the required Key Vault access policies configured.
Secret format specifications
Active Directory secrets
For Active Directory integrations, store credentials in this JSON format:
{
"username": "DOMAIN\\serviceaccount",
"password": "your_secure_password",
"ldaps_certificate": "-----BEGIN CERTIFICATE-----\nMIIEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n-----END CERTIFICATE-----"
}Field requirements:
username: Domain-qualified service account with appropriate AD permissionspassword: Secure password for the service accountldaps_certificate: Base64-encoded LDAPS certificate (optional, for secure LDAP connections)
Okta OAuth secrets
For Okta integrations using OAuth authentication:
{
"client_id": "0oa1a2b3c4d5e6f7g8h9",
"private_key_id": "your_key_id",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n-----END PRIVATE KEY-----"
}Field requirements:
client_id: OAuth client ID from Okta application configurationprivate_key_id: Key ID associated with the private keyprivate_key: RSA private key in PEM format
Okta API Token secrets
For Okta integrations using API token authentication:
{
"token": "00A1b2C3d4E5f6G7h8I9j0K1l2M3n4O5p6Q7r8S9"
}Field requirements:
token: Valid Okta API token with appropriate permissions
LDAP secrets
For LDAP integrations:
{
"bind_dn_or_user": "cn=serviceaccount,ou=service,dc=example,dc=com",
"bind_password": "your_secure_password",
"ca_certificate": "-----BEGIN CERTIFICATE-----\nMIIEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n-----END CERTIFICATE-----"
}Field requirements:
bind_dn_or_user: Distinguished name or username for LDAP bindingbind_password: Password for the bind accountca_certificate: CA certificate for secure LDAP connections (optional)
Security considerations
Network isolation
Ensure your Key Vault is accessible from the Insight Point's network
Consider using Azure Private Link for additional network isolation
Implement network security groups (NSGs) to restrict Key Vault access
Access control
Follow the principle of least privilege when configuring access policies
Regularly rotate client secrets and API tokens
Monitor Key Vault access logs for unusual activity
Consider using Azure managed identities where possible
Certificate management
Store certificates in PEM format within the JSON secret values
Ensure certificates are properly escaped for JSON formatting
Monitor certificate expiration dates and plan for rotation
Troubleshooting
Authentication issues
Problem: "Access denied" errors when Insight Point attempts to retrieve secrets
Solutions:
Verify the client ID and secret are correct in the vault configuration
Check that access policies include both "Get" and "List" permissions for secrets
Ensure the tenant ID matches your Azure AD tenant
Verify the application registration is in the correct tenant
Network connectivity issues
Problem: Connection timeouts when accessing Key Vault
Solutions:
Verify network connectivity from the Insight Point to Azure Key Vault endpoints
Check firewall rules and network security groups
Confirm the Key Vault URI is correct and accessible
Test connectivity using tools like
curlorwgetfrom the Insight Point
Secret format issues
Problem: Integration fails to authenticate with target systems
Solutions:
Verify JSON formatting is correct (no extra spaces, proper escaping)
Ensure field names match the expected format for your integration type
Validate that certificates are in proper PEM format
Check that credentials are valid for the target system
Configuration file issues
Problem: Vault configuration not loaded by Insight Point
Solutions:
Verify the
SECRETS_VAULTS_CONFIG_PATHenvironment variable is set correctlyCheck that the YAML file is properly formatted
Ensure the Insight Point process has read permissions for the configuration file
Review Insight Point logs for configuration parsing errors
See also
Last updated
Was this helpful?