Azure Key Vault

Overview

Azure Key Vault is Microsoft's cloud service for securely storing and accessing secrets. This guide covers the Azure-specific configuration requirements for integrating with Veza's Secrets Vaults feature.

Prerequisites

• An Azure account with permission to create and manage Key Vaults

• A Microsoft Azure subscription with Key Vault service enabled

• Access to create and manage application credentials in Azure Active Directory

Azure Key Vault setup

Create or configure Key Vault

1. Navigate to the Azure portal and search for "Key vaults".

2. Create a new Key Vault or select an existing one.

   Ensure the Key Vault is accessible from your network where the Insight Point is deployed.

3. Note the Vault URI for your configuration.

   This will be in the format: https://your-vault-name.vault.azure.net/

Configure access control

Azure Key Vault supports two authorization models: Azure RBAC (recommended) and Access Policies (legacy). Microsoft recommends using Azure RBAC for new deployments.

Option 1: Azure RBAC (Recommended)

For new Key Vaults or those migrated to RBAC:

1. Ensure your Key Vault uses the RBAC permission model:

   Copy

   az keyvault update --name <vault-name> --resource-group <resource-group-name> --enable-rbac-authorization true

2. Navigate to your Key Vault resource.

3. Select Access control (IAM) from the left navigation.

4. Click + Add > Add role assignment.

5. Configure the role assignment:

   • Role: "Key Vault Secrets User" (for read access to secrets)

   • Assign access to: "User, group, or service principal"

   • Select: Choose the Azure AD application you created for Veza

6. Click Save to apply the role assignment.

Option 2: Access Policies (Legacy)

For existing Key Vaults using access policies:

1. Navigate to your Key Vault resource.

2. Select Access policies from the left navigation.

3. Click + Add Access Policy.

4. Configure the following permissions:

   • Secret permissions: Get, List

   • Select principal: Choose the Azure AD application you created for Veza

   • Authorized application: Leave blank unless using specific application restrictions

5. Click Add and then Save to apply the policy.

Azure Active Directory application setup

Set up Azure AD application

For secrets vault access, your app registration needs Key Vault permissions. If you need to create a new app registration specifically for secrets vault access:

1. Navigate to Azure Active Directory > App registrations.

2. Click New registration.

3. Configure the application:

   • Name: "Veza Secrets Vault Access" (or your preferred name)

   • Supported account types: Single tenant (recommended)

   • Redirect URI: Leave blank for this use case

4. Click Register.

5. Record the following values from the Overview page:

   • Application (client) ID

   • Directory (tenant) ID

Generate client secret

1. From your application registration, navigate to Certificates & secrets.

2. Click New client secret.

3. Configure the secret:

   • Description: "Veza Insight Point Access"

   • Expires: Choose an appropriate expiration based on your security policies

4. Click Add.

5. Important: Copy the secret Value immediately.

   This value will only be displayed once and cannot be retrieved later.

Verify permissions

Ensure your application has the necessary permissions:

1. Navigate to API permissions in your application registration.

2. Verify the application has appropriate Microsoft Graph permissions if needed for your environment.

3. If using managed identities, ensure the identity has the required Key Vault access policies configured.

Secret format specifications

Active Directory secrets

For Active Directory integrations, store credentials in this JSON format:

{
  "username": "DOMAIN\\serviceaccount",
  "password": "your_secure_password",
  "ldaps_certificate": "-----BEGIN CERTIFICATE-----\nMIIEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n-----END CERTIFICATE-----"
}

Field requirements:

• username: Domain-qualified service account with appropriate AD permissions

• password: Secure password for the service account

• ldaps_certificate: Base64-encoded LDAPS certificate (optional, for secure LDAP connections)

Okta OAuth secrets

For Okta integrations using OAuth authentication:

{
  "client_id": "0oa1a2b3c4d5e6f7g8h9",
  "private_key_id": "your_key_id",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n-----END PRIVATE KEY-----"
}

Field requirements:

• client_id: OAuth client ID from Okta application configuration

• private_key_id: Key ID associated with the private key

• private_key: RSA private key in PEM format

Okta API Token secrets

For Okta integrations using API token authentication:

{
  "token": "00A1b2C3d4E5f6G7h8I9j0K1l2M3n4O5p6Q7r8S9"
}

Field requirements:

• token: Valid Okta API token with appropriate permissions

LDAP secrets

For LDAP integrations:

{
  "bind_dn_or_user": "cn=serviceaccount,ou=service,dc=example,dc=com",
  "bind_password": "your_secure_password",
  "ca_certificate": "-----BEGIN CERTIFICATE-----\nMIIEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n-----END CERTIFICATE-----"
}

Field requirements:

• bind_dn_or_user: Distinguished name or username for LDAP binding

• bind_password: Password for the bind account

• ca_certificate: CA certificate for secure LDAP connections (optional)

Security considerations

Network isolation

• Ensure your Key Vault is accessible from the Insight Point's network

• Consider using Azure Private Link for additional network isolation

• Implement network security groups (NSGs) to restrict Key Vault access

Access control

• Follow the principle of least privilege when configuring access policies

• Regularly rotate client secrets and API tokens

• Monitor Key Vault access logs for unusual activity

• Consider using Azure managed identities where possible

Certificate management

• Store certificates in PEM format within the JSON secret values

• Ensure certificates are properly escaped for JSON formatting

• Monitor certificate expiration dates and plan for rotation

Troubleshooting

Authentication issues

Problem: "Access denied" errors when Insight Point attempts to retrieve secrets

Solutions:

1. Verify the client ID and secret are correct in the vault configuration

2. Check that access policies include both "Get" and "List" permissions for secrets

3. Ensure the tenant ID matches your Azure AD tenant

4. Verify the application registration is in the correct tenant

Network connectivity issues

Problem: Connection timeouts when accessing Key Vault

Solutions:

1. Verify network connectivity from the Insight Point to Azure Key Vault endpoints

2. Check firewall rules and network security groups

3. Confirm the Key Vault URI is correct and accessible

4. Test connectivity using tools like curl or wget from the Insight Point

Secret format issues

Problem: Integration fails to authenticate with target systems

Solutions:

1. Verify JSON formatting is correct (no extra spaces, proper escaping)

2. Ensure field names match the expected format for your integration type

3. Validate that certificates are in proper PEM format

4. Check that credentials are valid for the target system

Configuration file issues

Problem: Vault configuration not loaded by Insight Point

Solutions:

1. Verify the SECRETS_VAULTS_CONFIG_PATH environment variable is set correctly

2. Check that the YAML file is properly formatted

3. Ensure the Insight Point process has read permissions for the configuration file

4. Review Insight Point logs for configuration parsing errors

See also