![]() ![]() You can delete your user from the Key Vault entirely. I prefer to completely remove my permissions on the Key Vault as I don’t need access to the keys itself. The creator of a Key Vault automatically receives full control on the Key Vault. If you don’t save your changes, the access policy will not be updated.Īfter you have provided the Logic App with least privileged access, it’s best practice to validate the other access policies and check if they are required. While you might think the configuration is done now, it’s important to commit your changes by clicking save at the top of your screen. After selecting the correct principal, click Add. ![]() In order to select the correct principal, search for the Managed Identity of our Logic app (the name of the Managed Identity is the same as the name for the Logic App). Our Logic App only needs to retrieve a secret so you’ll have to select the Secret Permissions – Get permission. Then you have the option to add an access policy. Select Add Access Policy to provide access to a new principal. In order to configure access policies, navigate to the Key Vault and select Access policies in the left hand menu. They allow for extremely granular configuration which allows you to specific that the Logic App can retrieve secrets, but can’t delete or edit them. Within an access policy you can configure which principal receives specific permissions. Configuring who has access to the Key Vault happens through Access Policies. Access PoliciesĪfter you have enabled the Managed Identity within the Logic App, you’ll need to configure the Key Vault to allow the Logic App to retrieve secrets. Navigate to Identity, change the Status to On and confirm the creation of the managed identity. In order to create a Managed Identity, you need to enable it on the Logic App. This means you don’t have to worry about rotating the secret, this will be done by the Logic App.īecause the Managed Identity means you have one less app registration to worry about, I recommend to use a Managed Identity where ever possible. If you use Service Principal Authentication, you will have to manually create a new app registration and create the correct secrets in order to log in with it.īy using a Managed Identity, the Logic App will create an enterprise application itself and will manage the secrets it’s self. The second and third option are pretty similar in the way that both will authenticate by using an app registration which is created within Azure Active Directory. If your account gets removed or you update your credentials, the Logic App stops working. The first method, authenticating through a user account, is something I do not recommend as this binds the Logic App to your account. This can be done in three different ways: In order to retrieve secrets, the Logic App needs to authenticate to the Key Vault first. Authentication MethodsĪfter you have saved your secrets within the Key Vault, you are ready to retrieve them in your Logic App. After you click ‘create’, the secret will be saved to the vault. Select secrets in the blade on the left hand side and click generate/import to create a new secret. I recommend enabling this as you are protected from a malicious actor or disgruntled employee.Īfter you have the vault is created, it’s time to create your first secret. Purge Protection is a feature which will retain the vault and it’s secrets if it is deleted from the Azure Portal. During the setup, you’ll be asked to enable or disable purge protection. Setting up an Azure Key Vault is extremely easy as it requires little to no configuration initially. While Azure Key Vault is hosted on the Azure platform, it can also be used for scripts or services running on-premises (or in another cloud). It provides granular access control and extensive logging which makes it perfect in order to secure API keys with. Introduction into Azure Key VaultĪzure Key Vault is an Azure resource which can be used to securely store secrets, keys and certificates in. During this blog post, I’ll provide a an introduction into Azure Key Vault, how to set it up securely and how to interact with it from within a Logic App. In order to better protect your environment, you should be using Azure Key Vault. If you do, every user/administrator with read access to your environment will have access to your keys. When you are building out different Logic Apps (or Microsoft Sentinel Playbooks) it’s a best practice to never expose your passwords or API Keys in plain text within your Logic Apps. ![]()
0 Comments
Leave a Reply. |