Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Setup Azure Key Vault as a secret store

Table of contents

This bonus assignment is about using Azure Key Vault as a secret store. You will create the Azure Key Vault secret store component provided by Dapr.

Step 1: Create an Azure AD application

  1. Open a terminal window.

  2. Create an Azure AD application:

     az ad app create --display-name dapr-java-workshop-fine-collection-service
    
  3. Set the application ID in APP_ID:

    • Linux/Unix shell:

        APP_ID=$(az ad app list --display-name dapr-java-workshop-fine-collection-service --query [].appId -o tsv)
      
    • Powershell:

        $APP_ID = az ad app list --display-name dapr-java-workshop-fine-collection-service --query [].appId -o tsv
      
  4. Create the client secret using the following command:

     az ad app credential reset --id $APP_ID --years 2
    

    Take note of the values above, which will be used in the Dapr component’s metadta to allow Dapr to authenticate with Azure:

    • appId is the value for azureClientId
    • password is the value for azureClientSecret
    • tenant is the value for azureTenantId

Step 2: Create a Service Principal

  1. Create a Service Principal using the following command and replace <appId> with the application ID you noted down in the previous step:

     az ad sp create --id $APP_ID
    
  2. Set the Service Principal ID in SERVICE_PRINCIPAL_ID. You will need it to assign the role to access the Key Vault.

    • Linux/Unix shell:

        SERVICE_PRINCIPAL_ID=$(az ad sp list --display-name dapr-java-workshop-fine-collection-service --query [].id -o tsv)
      
    • Powershell:

        $SERVICE_PRINCIPAL_ID = az ad sp list --display-name dapr-java-workshop-fine-collection-service --query [].id -o tsv
      

Step 3: Create an Azure Key Vault

  1. Open a terminal window.

  2. Azure Key Vault is a manage service to securely store and access secrets. This key vault needs to be globally unique. Use the following command to generate a unique name:

    • Linux/Unix shell:

        UNIQUE_IDENTIFIER=$(LC_ALL=C tr -dc a-z0-9 </dev/urandom | head -c 5)
        KEY_VAULT="kv-daprworkshopjava$UNIQUE_IDENTIFIER"
        echo $KEY_VAULT
      
    • PowerShell:

        $ACCEPTED_CHAR = [Char[]]'abcdefghijklmnopqrstuvwxyz0123456789'
        $UNIQUE_IDENTIFIER = (Get-Random -Count 5 -InputObject $ACCEPTED_CHAR) -join ''
        $KEY_VAULT = "kv-daprworkshopjava$UNIQUE_IDENTIFIER"
        $KEY_VAULT
      

    Note the name of the Key Vault. You will need it when creating the Dapr component.

  3. Create an Azure Key Vault:

     az keyvault create --name $KEY_VAULT --resource-group rg-dapr-workshop-java --location eastus --enable-rbac-authorization true
    
  4. Set the id of the subscription in SUBSCRIPTION. You will need it in the next step.

    • Linux/Unix shell:

        SUBSCRIPTION=$(az account show --query id -o tsv)
      
    • Powershell:

        $SUBSCRIPTION = az account show --query id -o tsv
      
  5. Assign a role using RBAC to the Azure AD application to access the Key Vault. The role “Key Vault Secrets User” is sufficient for this workshop.

     az role assignment create --role "Key Vault Secrets User" --assignee $SERVICE_PRINCIPAL_ID --scope "/subscriptions/$SUBSCRIPTION/resourcegroups/rg-dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT"
    

Step 4: Create a secret in the Azure Key Vault

The service principal created in the previous steps has the role Key Vault Secrets User assigned. It means this service principal can only read secrets. When assignining a role, it is recommended to use the principle of least privilege during all stages of development and deployment. This means that in this workshop, you could have assigned the Key Vault Secret User to a specific role instead to the key vault itself. However, for simplicity, you assigned the role to the key vault.

To create a secret in the Azure Key Vault, you can use the Azure Portal or the Azure CLI. In this workshop, you will use the Azure CLI. First you need to assign you the role of Key Vault Secrets Officer to be able to create secrets in the Key Vault. To know more about the different roles, see Azure built-in roles for Key Vault data plane operations.

To assign to you the role of Key Vault Secrets Officer, follow these steps:

  1. Open a terminal window.

  2. Set your user id in USER_ID. You will need it in the next step.

    • Linux/Unix shell:

        USER_ID=$(az ad user show --id <your-email-address> --query id -o tsv)
      
    • Powershell:

        $USER_ID = az ad user show --id <your-email-address> --query id -o tsv
      

    Replace <your-email-address> with your email address.

  3. Assign you Key Vault Secrets Officer role:

     az role assignment create --role "Key Vault Secrets Officer" --assignee $USER_ID --scope "/subscriptions/$SUBSCRIPTION_ID/resourcegroups/rg-dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT"
    
  4. To create a secret in the Azure Key Vault, use the following command and replace <secret-name> and <secret-value> with the name and value of the secret you want to create:

     az keyvault secret set --vault-name $KEY_VAULT --name <secret-name> --value <secret-value>
    

Step 5: Set the Azure Key Vault secret store component

  1. Copy or Move this file dapr/azure-keyvault-secretstore.yam to dapr/components/ folder.

  2. Open the copied file dapr/components/azure-keyvault-secretstore.yaml in your code editor.

  3. Set the following values in the metadata section of the component:

    • vaultName: The name of the Azure Key Vault you created in step 3.
    • azureTenantId: The value for tenant you noted down in step 1.
    • azureClientId: The value for appId you noted down in step 1.
    • azureClientSecret: The value for password you noted down in step 1.

Certificate can be used instead of client secret, see Azure Key Vault secret store.

When deployed to Azure Kubernetes Service, the client secret is a kubernetes secret and not set in the component’s YAML file. See the Kubernetes tab in Configure the component of Azure Key Vault secret store.

When deployed to Azure Kubernetes Service and Azure Container Apps, managed identity can should used instead of client secret for production workloads. See Using Managed Service Identities.

Retreive a secret in the application Reference a secret in a component