Setting up a Key Vault in Azure

Setting up a Key Vault

Here is how to set up a key vault using the Azure CLI

Select subscription

az login
az account set -s "$subscriptionName"

Create a Service Principal

To authenticate your application with key vault it needs a Service principal, which is an identity in Active Directory. Here is how you can create one from the CLI:

az ad sp create-for-rbac --name key-vault-poc-sp-1

You can query the settings and ids for this spn with the following command:

az ad sp list --display-name "${service_principal_display_name}"

This will return a JSON representation of the service principal. Look for the propery servicePrincipalNames which contains a UUID. You will need this spn later.

"servicePrincipalNames": [ "aaaaaaaa-bbbb-cccc-dddd-012345678901" ],

Create a key vault instance

az keyvault create \
  --resource-group "$resourceGroup" \ 
  --name "$keyVaultName" \ 
  --enabled-for-deployment true \ 
  --enabled-for-disk-encryption true \ 
  --enabled-for-template-deployment true \ 
  --location "$location" \
  --query properties.vaultUri \
  --sku standard

This should return the vault’s Uri. For example: https://key-vault-spring-poc-1.vault.azure.net/ When you create the key vault from the CLI, Azure will add access policies for your personal azure identity.

To add an access policy for the service principal made for us by cloud services:

az keyvault set-policy --name "$keyVaultName" --spn "${service_principal_names_uuid}" --secret-permissions get list

This will allow our application to list and read keys, nothing more.

Set a value

az keyvault secret set --name "greeting" --vault-name "$keyVaultName" --value "Hello World"

Load application properties from Key Vault

For a spring application use the app_id from the service principal for client-id and the clientSecret for the client-key. The tenant-id can be found in the json properties of your application.

azure.keyvault.client-id=[client id] 
azure.keyvault.client-key=[client secret]
azure.keyvault.enabled=true
azure.keyvault.tenant-id=[tenant id] 
azure.keyvault.uri=https://key-vault-spring-poc-2.vault.azure.net/

Any additional properties stored in this key vault will be loaded as application properties. Keep in mind that Azure Key Vault does not support dots in key names. Spring will allow you to substitute those for dashes. This does mean that application properties with both dots and dashes in the name are not supported. You can substitute a dash by capitalizing the next character, for example azure.keyvault.client-key -> azure-keyvault-clientKey. There is no realistic scenario where you would store this particular key in Key Vault, I just couldn’t think of another example with both dots and dashes off the top of my head.

For example:

az keyvault secret set --name "spring-datasource-username" --vault-name "$keyVaultName" --value "username"
az keyvault secret set --name "spring-datasource-password" --vault-name "$keyVaultName" --value "password"
az keyvault secret set --name "spring-datasource-url" --vault-name "$keyVaultName" --value "jdbc:sqlserver://databaseserver.database.windows.net:1433;database=db_name;etc..."