Azure Service Principal - How to secure the keys

%3CLINGO-SUB%20id%3D%22lingo-sub-153453%22%20slang%3D%22en-US%22%3EAzure%20Service%20Principal%20-%20How%20to%20secure%20the%20keys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-153453%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20an%20Azure%20Service%20Principal%2C%20we%20have%20below%20keys%20in%20config%20file%3C%2FP%3E%0A%3CP%3E%3CADD%20key%3D%22%26quot%3BSubscriptionId%26quot%3B%22%20value%3D%22%26quot%3B%26quot%3B%22%3E%3C%2FADD%3E%3CBR%20%2F%3E%3CADD%20key%3D%22%26quot%3BClientId%26quot%3B%22%20value%3D%22%26quot%3B%26quot%3B%22%3E%3C%2FADD%3E%3CBR%20%2F%3E%3CADD%20key%3D%22%26quot%3BClientSecret%26quot%3B%22%20value%3D%22%26quot%3B%26quot%3B%22%3E%3C%2FADD%3E%3CBR%20%2F%3E%3CADD%20key%3D%22%26quot%3BTenantId%26quot%3B%22%20value%3D%22%26quot%3B%26quot%3B%22%3E%3C%2FADD%3E%3CBR%20%2F%3EIs%20there%20any%20azure%20key%20vault%20like%20service%20available%2C%20where%20we%20can%20securely%20keep%20these%20keys%20and%20use%20it%20based%20on%20demand%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-153453%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Resource%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-155071%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Service%20Principal%20-%20How%20to%20secure%20the%20keys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-155071%22%20slang%3D%22en-US%22%3E%3CP%3EKey-vault%20service%20I%20didn't%20use%2C%20but%20what%20I%20understood%20is%20that%20key-vault%20keys%20can%20belongs%20to%20a%20specific%20PaaS%20service%20like%20Storage%20Account%20or%20any%20similar%20kind.%20Once%20accessing%20such%20PaaS%20services%20using%20a%20URL%2C%20you%20add%20this%20additional%20key-vault%20value%20to%20it.%20Also%20to%20access%20key-vault%2C%20you%20may%20need%20to%20keep%20another%20key%20for%20it%20locally%20and%20need%20to%20think%20how%20to%20secure%20that.%3C%2FP%3E%0A%3CP%3EBut%20my%20scenario%20is%20that%20I%20am%20doing%20an%20automation%20tool%20which%20will%20create%20different%20PaaS%20services%20in%20Azure%20using%20ARM%20templates.%20So%20any%20such%20management%20activity%20needs%20a%20single%20master%20login%20mechanism%20e.g.%20Service%20Principle%2C%20which%20includes%20multiple%20keys.%20I%20need%20to%20keep%20these%20keys%20securely%20without%20bound%20with%20any%20specific%20PaaS%20services%20and%20can%20use%20it%20whenever%20want%20to%20login%20to%20Azure.%20Currently%20I%20kept%20these%20keys%20inside%20my%20application%20config%20file%20and%20tool%20internally%20reading%20this%20config%20values%20during%20login.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-154733%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Service%20Principal%20-%20How%20to%20secure%20the%20keys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154733%22%20slang%3D%22en-US%22%3Eyou%20could%20store%20the%20values%20in%20a%20key%20vault%20and%20retrieve%20them%20when%20needed%20through%20the%20UI.%20Is%20this%20what%20you%20had%20%C3%AFn%20mind%20%3F%3C%2FLINGO-BODY%3E
New Contributor

For an Azure Service Principal, we have below keys in config file

<add key="SubscriptionId" value="" />
<add key="ClientId" value="" />
<add key="ClientSecret" value="" />
<add key="TenantId" value="" />
Is there any azure key vault like service available, where we can securely keep these keys and use it based on demand?

2 Replies
you could store the values in a key vault and retrieve them when needed through the UI. Is this what you had ïn mind ?

Key-vault service I didn't use, but what I understood is that key-vault keys can belongs to a specific PaaS service like Storage Account or any similar kind. Once accessing such PaaS services using a URL, you add this additional key-vault value to it. Also to access key-vault, you may need to keep another key for it locally and need to think how to secure that.

But my scenario is that I am doing an automation tool which will create different PaaS services in Azure using ARM templates. So any such management activity needs a single master login mechanism e.g. Service Principle, which includes multiple keys. I need to keep these keys securely without bound with any specific PaaS services and can use it whenever want to login to Azure. Currently I kept these keys inside my application config file and tool internally reading this config values during login.