Microsoft Sentinel’s REST – API based data connectors a lot of times use secrets and keys that customers would prefer to keep secured in a vault from where they can effectively manage (retrieve, update, delete, manage access, etc.) these secrets and keys. In this article, we’ll talk about securing API secrets and keys using an Azure Key Vault.
Content Hub solution when deployed may not necessarily deploy the Azure Key Vault resources as a part of the solution deployment to account for varied usage of Azure Key Vaults. However, Azure Function apps can use keys stored in AKV using AKV references without any changes in the Azure Function App code.
Integrating with AKV is a three – step process:
Let’s talk about each of these in more detail.
You could choose to create a new or use an existing Key Vault to store and manage your API keys and/secrets. To create a new Azure Key Vault, follow the steps documented on the official documentation.
Once created, you need to ensure that sufficient permissions have been assigned for the Function App to read the secrets from the Key Vault. Your Function App must have managed identity enabled. This could either be system-generated or user-generated. For the purpose of this article, we’ll continue to use a system generated managed identity.
To enable system assigned managed – identity on the Function App,
3. On saving, it should auto generate an Object with an Object ID. Copy the Object ID to keep it handy, you’ll need it in some time.
To provide access to the Function App’s managed – identity to read secrets from the Azure Key Vault,
4. Select the Key Vault Secrets User role from the list of roles and then click Next.
5. On the Members tab, for Assign access to, select Managed identity and then click on ‘+ Select members’.
On the configuration pane that opens on the right, make the following selections:
When the selections are complete, click on Select.
6. The Members should now have the name of the Azure Function app along with the Object ID of the Managed identity populated.
7. Optionally, add a Description.
8. Click on Review + assign.
You can manually create Secrets in the Key Vault.
The other value can be left default.
5. Click Create.
6. Now, to extract the SecretUri,
a. Select the Secret that was created in the previous step
b. Click on the Current Version
c. Copy the Secret Identifier.
Azure Function Apps will now need to be re-configured to extract the secrets from the Key Vault instead of using the plain – text strings. To do that,
@Pernille-Eskebo.KeyVault(SecretUri=https://<key-vault-name>.vault.azure.net/secrets/<secret-name>)
Note: The value of the SecretUri was the secret identifier copied from the Secret created in the previous section.
5. Click Ok.
6. Back on the Function App settings, click Save and then Continue. This will apply the changes to the Function App.
7. Now, back on the Function App settings, click on Refresh and click Continue.
You will now also notice that the Source in the Configuration Setting that was just modified changes to Key vault Reference from App Service.
The Function App is now configured to extract the Secret values from Key Vaults instead of reading plain-text values from the Configuration Settings.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.