Setup Azure Key Vault as a secret store
Table of contents
This bonus assignment is about using Azure Key Vault as a secret store. You will create the Azure Key Vault secret store component provided by Dapr.
Step 1: Create an Azure AD application
-
Open a terminal window.
-
Create an Azure AD application:
az ad app create --display-name dapr-java-workshop-fine-collection-service -
Set the application ID in
APP_ID:-
Linux/Unix shell:
APP_ID=$(az ad app list --display-name dapr-java-workshop-fine-collection-service --query [].appId -o tsv) -
Powershell:
$APP_ID = az ad app list --display-name dapr-java-workshop-fine-collection-service --query [].appId -o tsv
-
-
Create the client secret using the following command:
az ad app credential reset --id $APP_ID --years 2Take note of the values above, which will be used in the Dapr component’s metadta to allow Dapr to authenticate with Azure:
appIdis the value forazureClientIdpasswordis the value forazureClientSecrettenantis the value forazureTenantId
Step 2: Create a Service Principal
-
Create a Service Principal using the following command and replace
<appId>with the application ID you noted down in the previous step:az ad sp create --id $APP_ID -
Set the Service Principal ID in
SERVICE_PRINCIPAL_ID. You will need it to assign the role to access the Key Vault.-
Linux/Unix shell:
SERVICE_PRINCIPAL_ID=$(az ad sp list --display-name dapr-java-workshop-fine-collection-service --query [].id -o tsv) -
Powershell:
$SERVICE_PRINCIPAL_ID = az ad sp list --display-name dapr-java-workshop-fine-collection-service --query [].id -o tsv
-
Step 3: Create an Azure Key Vault
-
Open a terminal window.
-
Azure Key Vault is a manage service to securely store and access secrets. This key vault needs to be globally unique. Use the following command to generate a unique name:
-
Linux/Unix shell:
UNIQUE_IDENTIFIER=$(LC_ALL=C tr -dc a-z0-9 </dev/urandom | head -c 5) KEY_VAULT="kv-daprworkshopjava$UNIQUE_IDENTIFIER" echo $KEY_VAULT -
PowerShell:
$ACCEPTED_CHAR = [Char[]]'abcdefghijklmnopqrstuvwxyz0123456789' $UNIQUE_IDENTIFIER = (Get-Random -Count 5 -InputObject $ACCEPTED_CHAR) -join '' $KEY_VAULT = "kv-daprworkshopjava$UNIQUE_IDENTIFIER" $KEY_VAULT
Note the name of the Key Vault. You will need it when creating the Dapr component.
-
-
Create an Azure Key Vault:
az keyvault create --name $KEY_VAULT --resource-group rg-dapr-workshop-java --location eastus --enable-rbac-authorization true -
Set the id of the subscription in
SUBSCRIPTION. You will need it in the next step.-
Linux/Unix shell:
SUBSCRIPTION=$(az account show --query id -o tsv) -
Powershell:
$SUBSCRIPTION = az account show --query id -o tsv
-
-
Assign a role using RBAC to the Azure AD application to access the Key Vault. The role “Key Vault Secrets User” is sufficient for this workshop.
az role assignment create --role "Key Vault Secrets User" --assignee $SERVICE_PRINCIPAL_ID --scope "/subscriptions/$SUBSCRIPTION/resourcegroups/rg-dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT"
Step 4: Create a secret in the Azure Key Vault
The service principal created in the previous steps has the role Key Vault Secrets User assigned. It means this service principal can only read secrets. When assignining a role, it is recommended to use the principle of least privilege during all stages of development and deployment. This means that in this workshop, you could have assigned the Key Vault Secret User to a specific role instead to the key vault itself. However, for simplicity, you assigned the role to the key vault.
To create a secret in the Azure Key Vault, you can use the Azure Portal or the Azure CLI. In this workshop, you will use the Azure CLI. First you need to assign you the role of Key Vault Secrets Officer to be able to create secrets in the Key Vault. To know more about the different roles, see Azure built-in roles for Key Vault data plane operations.
To assign to you the role of Key Vault Secrets Officer, follow these steps:
-
Open a terminal window.
-
Set your user id in
USER_ID. You will need it in the next step.-
Linux/Unix shell:
USER_ID=$(az ad user show --id <your-email-address> --query id -o tsv) -
Powershell:
$USER_ID = az ad user show --id <your-email-address> --query id -o tsv
Replace
<your-email-address>with your email address. -
-
Assign you
Key Vault Secrets Officerrole:az role assignment create --role "Key Vault Secrets Officer" --assignee $USER_ID --scope "/subscriptions/$SUBSCRIPTION_ID/resourcegroups/rg-dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT" -
To create a secret in the Azure Key Vault, use the following command and replace
<secret-name>and<secret-value>with the name and value of the secret you want to create:az keyvault secret set --vault-name $KEY_VAULT --name <secret-name> --value <secret-value>
Step 5: Set the Azure Key Vault secret store component
-
Copy or Move this file
dapr/azure-keyvault-secretstore.yamtodapr/components/folder. -
Open the copied file
dapr/components/azure-keyvault-secretstore.yamlin your code editor. -
Set the following values in the metadata section of the component:
vaultName: The name of the Azure Key Vault you created in step 3.azureTenantId: The value fortenantyou noted down in step 1.azureClientId: The value forappIdyou noted down in step 1.azureClientSecret: The value forpasswordyou noted down in step 1.
Certificate can be used instead of client secret, see Azure Key Vault secret store.
When deployed to Azure Kubernetes Service, the client secret is a kubernetes secret and not set in the component’s YAML file. See the Kubernetes tab in Configure the component of Azure Key Vault secret store.
When deployed to Azure Kubernetes Service and Azure Container Apps, managed identity can should used instead of client secret for production workloads. See Using Managed Service Identities.
Retreive a secret in the application Reference a secret in a component