Setup Azure Key Vault as a secret store
Table of contents
The first part of this assignment is about using Azure Key Vault as a secret store. It consists in the creation of the Azure Key Vault resource and the deployment of Azure Key Vault secret store component to Azure Container Apps environment.
Step 1: Create an Azure AD application
-
Open a terminal window.
-
Create an Azure AD application:
az ad app create --display-name dapr-java-workshop-fine-collection-service
-
Set the application ID in
APP_ID
:-
Linux/Unix shell:
APP_ID=$(az ad app list --display-name dapr-java-workshop-fine-collection-service --query [].appId -o tsv)
-
Powershell:
$APP_ID = az ad app list --display-name dapr-java-workshop-fine-collection-service --query [].appId -o tsv
-
-
Create the client secret using the following command:
az ad app credential reset --id $APP_ID --years 2
Take note of the values above, which will be used in the Dapr component’s metadta to allow Dapr to authenticate with Azure:
appId
is the value forazureClientId
password
is the value forazureClientSecret
tenant
is the value forazureTenantId
Step 2: Create a Service Principal
-
Create a Service Principal using the following command and replace
<appId>
with the application ID you noted down in the previous step:az ad sp create --id $APP_ID
-
Set the Service Principal ID in
SERVICE_PRINCIPAL_ID
. You will need it to assign the role to access the Key Vault.-
Linux/Unix shell:
SERVICE_PRINCIPAL_ID=$(az ad sp list --display-name dapr-java-workshop-fine-collection-service --query [].id -o tsv)
-
Powershell:
$SERVICE_PRINCIPAL_ID = az ad sp list --display-name dapr-java-workshop-fine-collection-service --query [].id -o tsv
-
Step 3: Create an Azure Key Vault
-
Open a terminal window.
-
Azure Key Vault is a manage service to securely store and access secrets. This key vault needs to be globally unique. Use the following command to generate a unique name:
-
Linux/Unix shell:
UNIQUE_IDENTIFIER=$(LC_ALL=C tr -dc a-z0-9 </dev/urandom | head -c 5) KEY_VAULT="kv-daprworkshopjava$UNIQUE_IDENTIFIER" echo $KEY_VAULT
-
PowerShell:
$ACCEPTED_CHAR = [Char[]]'abcdefghijklmnopqrstuvwxyz0123456789' $UNIQUE_IDENTIFIER = (Get-Random -Count 5 -InputObject $ACCEPTED_CHAR) -join '' $KEY_VAULT = "kv-daprworkshopjava$UNIQUE_IDENTIFIER" $KEY_VAULT
Note the name of the Key Vault. You will need it when creating the Dapr component.
-
-
Create an Azure Key Vault:
az keyvault create --name $KEY_VAULT --resource-group rg-dapr-workshop-java --location eastus --enable-rbac-authorization true
-
Set the id of the subscription in
SUBSCRIPTION
. You will need it in the next step.-
Linux/Unix shell:
SUBSCRIPTION=$(az account show --query id -o tsv)
-
Powershell:
$SUBSCRIPTION = az account show --query id -o tsv
-
-
Assign a role using RBAC to the Azure AD application to access the Key Vault. The role “Key Vault Secrets User” is sufficient for this workshop.
az role assignment create --role "Key Vault Secrets User" --assignee $SERVICE_PRINCIPAL_ID --scope "/subscriptions/$SUBSCRIPTION/resourcegroups/rg-dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT"
Step 4: Create a secret in the Azure Key Vault
The service principal created in the previous steps has the role Key Vault Secrets User
assigned. It means this service principal can only read secrets. When assignining a role, it is recommended to use the principle of least privilege during all stages of development and deployment. This means that in this workshop, you could have assigned the Key Vault Secret User
to a specific role instead to the key vault itself. However, for simplicity, you assigned the role to the key vault.
To create a secret in the Azure Key Vault, you can use the Azure Portal or the Azure CLI. In this workshop, you will use the Azure CLI. First you need to assign you the role of Key Vault Secrets Officer
to be able to create secrets in the Key Vault. To know more about the different roles, see Azure built-in roles for Key Vault data plane operations.
To assign to you the role of Key Vault Secrets Officer
, follow these steps:
-
Open a terminal window.
-
Set your user id in
USER_ID
. You will need it in the next step.-
Linux/Unix shell:
USER_ID=$(az ad user show --id <your-email-address> --query id -o tsv)
-
Powershell:
$USER_ID = az ad user show --id <your-email-address> --query id -o tsv
Replace
<your-email-address>
with your email address. -
-
Assign you
Key Vault Secrets Officer
role:az role assignment create --role "Key Vault Secrets Officer" --assignee $USER_ID --scope "/subscriptions/$SUBSCRIPTION_ID/resourcegroups/rg-dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT"
-
To create a secret in the Azure Key Vault, use the following command and replace
<secret-name>
and<secret-value>
with the name and value of the secret you want to create:az keyvault secret set --vault-name $KEY_VAULT --name <secret-name> --value <secret-value>
Step 5: Deploy Azure Key Vault secret store component
-
Copy or Move this file
dapr/aca-azure-keyvault-secretstore.yam
todapr/components/
folder. -
Open the copied file
dapr/components/aca-azure-keyvault-secretstore.yaml
in your code editor. -
Set the following values in the metadata section of the component:
vaultName
: The name of the Azure Key Vault you created in step 3.azureTenantId
: The value fortenant
you noted down in step 1.azureClientId
: The value forappId
you noted down in step 1.
-
Set the following values in the secrets section of the component:
azure-client-secret
: The value forpassword
you noted down in step 1.
-
Go to the root folder of the repository.
-
Enter the following command to deploy the
secretstore
Dapr component:az containerapp env dapr-component set \ --name cae-dapr-workshop-java \ --resource-group rg-dapr-workshop-java \ --dapr-component-name secretstore \ --yaml ./dapr/components/aca-azure-keyvault-secretstore.yaml
Managed Identity
By setting a secret in a Dapr component for Azure Container Apps environmnet, the secret is stored using platform-managed Kubernetes secrets. This is useful when connecting non-Azure services or in DEV/TEST scenarios for quickly deployment Dapr components.
In production scenarios, it is recommended to use Azure Key Vault secret store with a managed identity instead and to not store secrets as Kubernetes secrets.
< Assignment 7 - Key Vault as a secret store Retreive a secret in the application >