Azure key Vault

The Key Management secrets engine supports lifecycle management of keys in named Azure Key Vault instances. This is accomplished by configuring a KMS provider resource with the azurekeyvault provider and other provider-specific parameter values.

The following sections describe how to properly configure the secrets engine to enable the functionality.

Authentication

You need to configure the Key Management secrets engine with credentials that have sufficient permissions to manage keys in an Azure Key Vault instance. The credentials section of the API documentation describes the authentication parameters. The authentication parameters will be set with the following order of precedence:

If the client ID or secret are not provided and Vault is running on an Azure VM, Vault will attempt to use MSI to access Azure. Note that when MSI is used, the tenant ID must still be explicitly provided by the configuration or environment variable.

An Azure Key Vault access policy determines whether a given service principal, namely an application or user group, can perform certain operations on a Key Vault instance. The service principal associated with the provided credentials must have an access policy on the Key Vault instance with the following minimum key permissions:

Use Terraform

If you are familiar with Terraform, you can use it to deploy the necessary Azure infrastructure. Refer to the Terraform example section.

Setup

Enable the secrets engine.

$ vault secrets enable keymgmt
Success! Enabled the keymgmt secrets engine at: keymgmt/

Configure a KMS provider resource named, example-kms.
```
$ vault write keymgmt/kms/example-kms \
    provider="azurekeyvault" \
    key_collection="keyvault-name" \
    credentials=client_id="a0454cd1-e28e-405e-bc50-7477fa8a00b7" \
    credentials=client_secret="eR%HizuCVEpAKgeaUEx" \
    credentials=tenant_id="cd4bf224-d114-4f96-9bbc-b8f45751c43f"
```
The command specified the following:
- The full path to this KMS provider instance in Vault (keymgmt/kms/example-kms).
- A key collection, which corresponds to the name of the key vault instance in Azure.
- The KMS provider is set to azurekeyvault.
- Azure client ID credential, that can also be specified with AZURE_CLIENT_ID environment variable.
- Azure client secret credential, that can also be specified with AZURE_CLIENT_SECRET environment variable.
- Azure tenant ID credential, that can also be specified with AZURE_TENANT_ID environment variable.

API documentation

Refer to the Azure Key Vault API documentation for a detailed description of individual configuration parameters.

Usage

Write a pair of RSA-2048 keys to the secrets engine. The following command will write a new key of type rsa-2048 to the path keymgmt/key/rsa-1.
```
$ vault write keymgmt/key/rsa-1 type="rsa-2048"
Success! Data written to: keymgmt/key/rsa-1
```
The Key Management secrets engine currently supports generation of the key types specified in Key Types.
Based on the Compatibility section of the documentation, Azure Key Vault currently supports use of RSA-2048, RSA-3072, and RSA-4096 key types.
Read the rsa-1 key you created. Use JSON as the output and pipe that into jq.
```
$ vault read -format=json keymgmt/key/rsa-1 | jq
```
To use the keys you wrote, you must distribute them to the key vault. Distribute the rsa-1 key to the key vault at the path keymgmt/kms/example-kms/key/rsa-1.
```
$ vault write keymgmt/kms/example-kms/key/rsa-1 \
    purpose="encrypt,decrypt" \
    protection="hsm"
```
Here you are instructing Vault to distribute the key and specify that its purpose is only to encrypt and decrypt. The protection type is dependent on the cloud provider and the value is either hsm or software. In the case of Azure, you specify hsm for the protection type. The key will be securely delivered to the key vault instance according to the Azure Bring Your Own Key (BYOK) specification.
You can list the keys that have been distributed to the Azure Key Vault instance.
```
$ vault list keymgmt/kms/keyvault/key/
Keys
----
rsa-1
```

Rotate the rsa-1 key.

$ vault write -f keymgmt/key/rsa-1/rotate
Success! Data written to: keymgmt/key/rsa-1/rotate

Confirm successful key rotation by reading the key, and getting the value of .data.latest_version.
```
$  vault read -format=json keymgmt/key/rsa-1 | jq '.data.latest_version'
2
```

Key transfer specification

Keys are securely transferred from the secrets engine to Azure key vault instances in accordance with the Azure Bring Your Own Key specification.

Key purpose compatibility

The following table defines which key purposes can be used for each key type supported by Azure Key Vault KMS.

Key Type	Purpose
`rsa-2048`	All purposes
`rsa-3072`	All purposes
`rsa-4096`	All purposes

Azure private link

The secrets engine can be configured to communicate with Azure Key Vault instances using Azure Private Endpoints. Follow the guide at Integrate Key Vault with Azure Private Link to set up a Private Endpoint for your target Key Vault instance in Azure. The Private Endpoint must be network reachable by Vault. This means Vault needs to be running in the same virtual network or a peered virtual network to properly resolve the Key Vault domain name to the Private Endpoint IP address.

The Private Endpoint configuration relies on a correct Azure Private DNS integration. From the host that Vault is running on, follow the steps in Validate that the private link connection works to ensure that the Key Vault domain name resolves to the Private Endpoint IP address you've configured.

$ nslookup <keyvault-name>.vault.azure.net

Non-authoritative answer:
Name:
Address:  10.0.2.5 (private IP address)
Aliases:  <keyvault-name>.vault.azure.net
          <keyvault-name>.privatelink.vaultcore.azure.net

The secrets engine doesn't require special configuration to communicate with a Key Vault instance over an Azure Private Endpoint. For example, the given KMS configuration will result in the secrets engine resolving a Key Vault domain name of keyvault-name.vault.azure.net to the Private Endpoint IP address. Note that it's possible to change the Key Vault DNS suffix using the environment configuration parameter or AZURE_ENVIRONMENT environment variable.

Terraform example

If you are familiar with Terraform, you can use it to deploy the necessary Azure infrastructure.

Example:

provider "azuread" {
  version = "=0.11.0"
}

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy = true
    }
  }
}

resource "random_id" "app_rg_name" {
  byte_length = 3
}

resource "random_id" "keyvault_name" {
  byte_length = 3
}

data "azurerm_client_config" "current" {}

resource "azuread_application" "key_vault_app" {
  name                       = "app-${random_id.app_rg_name.hex}"
  homepage                   = "http://homepage${random_id.app_rg_name.b64_url}"
  identifier_uris            = ["http://uri${random_id.app_rg_name.b64_url}"]
  reply_urls                 = ["http://replyur${random_id.app_rg_name.b64_url}"]
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = true
}

resource "azuread_service_principal" "key_vault_sp" {
  application_id               = azuread_application.key_vault_app.application_id
  app_role_assignment_required = false
}

resource "random_password" "password" {
  length           = 24
  special          = true
  override_special = "%@"
}

resource "azuread_service_principal_password" "key_vault_sp_pwd" {
  service_principal_id = azuread_service_principal.key_vault_sp.id
  value                = random_password.password.result
  end_date             = "2099-01-01T01:02:03Z"
}

resource "azurerm_resource_group" "key_vault_rg" {
  name     = "learn-rg-${random_id.app_rg_name.hex}"
  location = "West US"
}

resource "azurerm_key_vault" "key_vault_kv" {
  name                = "learn-keyvault-${random_id.keyvault_name.hex}"
  location            = azurerm_resource_group.key_vault_rg.location
  resource_group_name = azurerm_resource_group.key_vault_rg.name
  sku_name            = "premium"
  soft_delete_enabled = true
  tenant_id           = data.azurerm_client_config.current.tenant_id

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id
    key_permissions = [
      "backup",
      "create",
      "decrypt",
      "delete",
      "encrypt",
      "get",
      "import",
      "list",
      "purge",
      "recover",
      "restore",
      "sign",
      "unwrapKey",
      "update",
      "verify",
      "wrapKey"
    ]
  }

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = azuread_service_principal.key_vault_sp.object_id
    key_permissions = [
      "create",
      "delete",
      "get",
      "import",
      "update"
    ]
  }
}

output "key_vault_1_name" {
  value = azurerm_key_vault.key_vault_kv.name
}

output "tenant_id" {
  value = data.azurerm_client_config.current.tenant_id
}

output "client_id" {
  value = azuread_application.key_vault_app.application_id
}

output "client_secret" {
  value = azuread_service_principal_password.key_vault_sp_pwd.value
}