Azure Secret Manager: A Comprehensive Guide to Secure Secrets Management

Azure Secret Manager is a game-changer for secure secrets management in Azure. It's a cloud-based service that securely stores and manages sensitive data, such as API keys, database credentials, and certificates.

Azure Secret Manager provides a centralized repository for storing and retrieving secrets, making it easy to manage and rotate sensitive data. This eliminates the need for hardcoding or storing secrets in plain text, which is a huge security risk.

With Azure Secret Manager, you can easily integrate secrets into your Azure applications, services, and infrastructure. This includes Azure Kubernetes Service (AKS), Azure Functions, and Azure App Service, among others.

Azure Key Vault is a centralized secrets management system that simplifies the process of securely storing and retrieving sensitive information.

It's more than just a secrets manager; it does secrets management, key management, and certificate management, making it a key management solution in Azure.

Azure Key Vault offers proper authentication and authorization through Azure Active Directory and Azure RBAC, ensuring that only authorized users can access the secrets.

It also provides keys and secrets can be software-protected or hardware-protected using HSMs for added assurance.

Azure Key Vault stores all secrets encrypted, with a hierarchy of encryption keys that are protected by modules that are FIPS 140-2 compliant.

The encryption is transparent and requires no action from the user, automatically encrypting secrets when you add them and decrypting them when you read them.

Here are some key features of Azure Key Vault:

Authentication and Authorization is a crucial aspect of Azure Secret Manager. There are two main methods to authenticate: Service Principal key authentication and Managed Identity authentication.

To use Service Principal key authentication, a Service Principal client and Secret is created and stored in a Kind=Secret. The ClientID and ClientSecret should be configured for the secret.

For Managed Identity authentication, a Managed Identity should be created in Azure, and that Identity should have proper rights to the keyvault to be managed by the operator.

Here are the steps to create an Azure Key Vault and authorize a Service Principal:

1. Set a variable with the Service Principal that you created.

2. Set a variable with the location in which to create all resources.

3. Create an Azure Key Vault that uses Azure RBAC for authorization.

4. Using RBAC, assign a role to the Microsoft Entra ID application so it can access the Key Vault, such as the “Key Vault Secrets User” role.

To authorize a Service Principal, you need to create an Azure Key Vault and assign the proper access rights. This involves setting a variable with the Service Principal and the location where you want to create the resources.

You can use the Azure CLI command `az account list-locations --output tsv` to get a list of available locations. Once you have the Service Principal and location set, you can create an Azure Key Vault that uses Azure RBAC for authorization.

Using RBAC, you can assign a role to the Microsoft Entra ID application so it can access the Key Vault. In this case, you can assign the “Key Vault Secrets User” role, which has the “Get secrets” permission over Azure Key Vault.

Here are some possible roles you can assign:

Note that you can choose a role that fits your application's needs, depending on the level of access required.

Accessing AKS requires a different approach than accessing secrets from a VM. In the cloud-native era, we're likely running our workload in containerized applications, in Azure AKS clusters.

To access a secret from an AKS cluster, you can follow the same steps as accessing it from a VM, as demonstrated in the previous section. However, this time, you'll be working within the cluster environment.

In AKS, secrets can be accessed using the same methods, such as using the Azure CLI or the Azure portal. You can also use the Azure Kubernetes Service (AKS) API to retrieve secrets from the cluster.

To use the AKS API, you'll need to authenticate and authorize your request, which is covered in the previous sections. By doing so, you'll be able to access the secret from within the AKS cluster.

Creating a Universal Secrets Connector (USC) is a straightforward process that can be done using the Akeyless Console or through the command line. To create a USC, you'll need to specify the name, target-to-associate, and Azure key vault name.

The location of the USC can be specified by adding a path to the virtual folder where you want to create the new USC. If the folder doesn't exist, it will be created along with the USC. You can select an existing Azure Target and Azure key vault to associate with the USC.

To update an existing secret in your USC, you can use the following command: Updated 5 months ago. This command allows you to modify the existing secret without having to recreate the entire USC.

Here are the key settings to consider when creating a USC:

Creating a USC is a straightforward process that involves specifying a few key parameters. You can create a USC from the Akeyless Console or using a command.

To create a USC from the console, log in to the Akeyless Console and go to Items > New > Universal Secrets Connector. You will then select the Azure secret type and click Next.

The next step is to define a name for the USC and specify the location as a path to the virtual folder where you want to create the new USC. If the folder does not exist, it will be created along with the USC.

You can also define additional settings such as a description, tags, delete protection, and target and gateway selection. The name of the Azure key vault you want to connect with is also required.

Here are the main parameters to create a USC:

These settings will allow you to create a USC that meets your needs and securely connects to your Azure key vault.

Updating your USC is a straightforward process. To update an existing secret in your USC, use the following command: Updated5 months ago.

You can update your USC at any time, and it's a good idea to do so regularly to ensure your secrets are up to date.

If you're using Azure Universal Secrets, you'll want to take a closer look at the details of each secret.

The name of each secret is easily accessible, and it's a great starting point for understanding what information is being stored.

A secret's type is also displayed, giving you insight into what kind of data it contains.

The status of each secret is either enabled or disabled, and you can view this information at a glance.

The expiration date of each secret is also available, so you can plan accordingly.

You can view more information and the secret value itself by selecting a specific secret.

Additionally, you'll have the option to perform actions on the secret.

Rotation and Versioning is a crucial aspect of managing USC (Unified Service Catalog) effectively. Azure Key Vault's support for secrets rotation and versioning ensures that secrets can be regularly updated without disrupting automated processes.

By regularly updating secrets, you remove the need to manually retrieve, enter, and update passwords on Workato. This saves time and reduces the risk of human error.

To automate the rotation of your secrets, you can configure Event Grid to trigger a Function App. This Function App generates a random password whenever any secret is about to expire in your key vault.

Alternatively, you can configure the Function App to send you a reminder email when a secret is about to expire. This helps you stay on top of secret rotations and avoid any disruptions to your automated processes.

Here are two methods to automate secret rotation: