Setup Azure Key Vault as a secret store

Table of contents

• Step 1: Create an Azure AD application
• Step 2: Create a Service Principal
• Step 3: Create an Azure Key Vault
• Step 4: Create a secret in the Azure Key Vault
• Step 5: Deploy Azure Key Vault secret store component

The first part of this assignment is about using Azure Key Vault as a secret store. It consists in the creation of the Azure Key Vault resource and the deployment of Azure Key Vault secret store component to Azure Container Apps environment.

Step 1: Create an Azure AD application

1. Open a terminal window.

2. Create an Azure AD application:

    az ad app create --display-name dapr-java-workshop-fine-collection-service
   

3. Set the application ID in APP_ID:

   • Linux/Unix shell:

       APP_ID=$(az ad app list --display-name dapr-java-workshop-fine-collection-service --query [].appId -o tsv)
     

   • Powershell:

       $APP_ID = az ad app list --display-name dapr-java-workshop-fine-collection-service --query [].appId -o tsv
     

4. Create the client secret using the following command:

    az ad app credential reset --id $APP_ID --years 2
   

   Take note of the values above, which will be used in the Dapr component’s metadta to allow Dapr to authenticate with Azure:

   • appId is the value for azureClientId
   • password is the value for azureClientSecret
   • tenant is the value for azureTenantId

Step 2: Create a Service Principal

1. Create a Service Principal using the following command and replace <appId> with the application ID you noted down in the previous step:

    az ad sp create --id $APP_ID
   

2. Set the Service Principal ID in SERVICE_PRINCIPAL_ID. You will need it to assign the role to access the Key Vault.

   • Linux/Unix shell:

       SERVICE_PRINCIPAL_ID=$(az ad sp list --display-name dapr-java-workshop-fine-collection-service --query [].id -o tsv)
     

   • Powershell:

       $SERVICE_PRINCIPAL_ID = az ad sp list --display-name dapr-java-workshop-fine-collection-service --query [].id -o tsv
     

Step 3: Create an Azure Key Vault

1. Open a terminal window.

2. Azure Key Vault is a manage service to securely store and access secrets. This key vault needs to be globally unique. Use the following command to generate a unique name:

   • Linux/Unix shell:

       UNIQUE_IDENTIFIER=$(LC_ALL=C tr -dc a-z0-9 </dev/urandom | head -c 5)
       KEY_VAULT="kv-daprworkshopjava$UNIQUE_IDENTIFIER"
       echo $KEY_VAULT
     

   • PowerShell:

       $ACCEPTED_CHAR = [Char[]]'abcdefghijklmnopqrstuvwxyz0123456789'
       $UNIQUE_IDENTIFIER = (Get-Random -Count 5 -InputObject $ACCEPTED_CHAR) -join ''
       $KEY_VAULT = "kv-daprworkshopjava$UNIQUE_IDENTIFIER"
       $KEY_VAULT
     

   Note the name of the Key Vault. You will need it when creating the Dapr component.

3. Create an Azure Key Vault:

    az keyvault create --name $KEY_VAULT --resource-group rg-dapr-workshop-java --location eastus --enable-rbac-authorization true
   

4. Set the id of the subscription in SUBSCRIPTION. You will need it in the next step.

   • Linux/Unix shell:

       SUBSCRIPTION=$(az account show --query id -o tsv)
     

   • Powershell:

       $SUBSCRIPTION = az account show --query id -o tsv
     

5. Assign a role using RBAC to the Azure AD application to access the Key Vault. The role “Key Vault Secrets User” is sufficient for this workshop.

    az role assignment create --role "Key Vault Secrets User" --assignee $SERVICE_PRINCIPAL_ID --scope "/subscriptions/$SUBSCRIPTION/resourcegroups/rg-dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT"
   

Step 4: Create a secret in the Azure Key Vault

The service principal created in the previous steps has the role Key Vault Secrets User assigned. It means this service principal can only read secrets. When assignining a role, it is recommended to use the principle of least privilege during all stages of development and deployment. This means that in this workshop, you could have assigned the Key Vault Secret User to a specific role instead to the key vault itself. However, for simplicity, you assigned the role to the key vault.

To create a secret in the Azure Key Vault, you can use the Azure Portal or the Azure CLI. In this workshop, you will use the Azure CLI. First you need to assign you the role of Key Vault Secrets Officer to be able to create secrets in the Key Vault. To know more about the different roles, see Azure built-in roles for Key Vault data plane operations.

To assign to you the role of Key Vault Secrets Officer, follow these steps:

1. Open a terminal window.

2. Set your user id in USER_ID. You will need it in the next step.

   • Linux/Unix shell:

       USER_ID=$(az ad user show --id <your-email-address> --query id -o tsv)
     

   • Powershell:

       $USER_ID = az ad user show --id <your-email-address> --query id -o tsv
     

   Replace <your-email-address> with your email address.

3. Assign you Key Vault Secrets Officer role:

    az role assignment create --role "Key Vault Secrets Officer" --assignee $USER_ID --scope "/subscriptions/$SUBSCRIPTION_ID/resourcegroups/rg-dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT"
   

4. To create a secret in the Azure Key Vault, use the following command and replace <secret-name> and <secret-value> with the name and value of the secret you want to create:

    az keyvault secret set --vault-name $KEY_VAULT --name <secret-name> --value <secret-value>
   

Step 5: Deploy Azure Key Vault secret store component

1. Copy or Move this file dapr/aca-azure-keyvault-secretstore.yam to dapr/components/ folder.

2. Open the copied file dapr/components/aca-azure-keyvault-secretstore.yaml in your code editor.

3. Set the following values in the metadata section of the component:

   • vaultName: The name of the Azure Key Vault you created in step 3.
   • azureTenantId: The value for tenant you noted down in step 1.
   • azureClientId: The value for appId you noted down in step 1.

4. Set the following values in the secrets section of the component:

   • azure-client-secret: The value for password you noted down in step 1.

5. Go to the root folder of the repository.

6. Enter the following command to deploy the secretstore Dapr component:

    az containerapp env dapr-component set \
      --name cae-dapr-workshop-java \
      --resource-group rg-dapr-workshop-java \
      --dapr-component-name secretstore \
      --yaml ./dapr/components/aca-azure-keyvault-secretstore.yaml
   

Managed Identity

By setting a secret in a Dapr component for Azure Container Apps environmnet, the secret is stored using platform-managed Kubernetes secrets. This is useful when connecting non-Azure services or in DEV/TEST scenarios for quickly deployment Dapr components.

In production scenarios, it is recommended to use Azure Key Vault secret store with a managed identity instead and to not store secrets as Kubernetes secrets.

< Assignment 7 - Key Vault as a secret store Retreive a secret in the application >

---