Azure Key Vault – How to access keys or secrets using user identity

Azure Key Vault can be accessed using Managed Identities. Here we will talk about Managed Identities and create a User-Managed Identity to access Azure Key Vault from the MVC web application.

Managed Identities Overview

Managed Identity provides Azure services with an automatically managed identity in AAD (Azure Active Directory). It helps to authenticate to any service that supports AAD authentication without maintaining credentials in your code. It is a great feature from a security perspective because credentials are not accessible to you. Managed identities can be used without any additional cost.

There are two types of managed identities —

System-assigned: Some services allow to create System Assigned Identity from service instance. This identity can be turned ON/OFF from the Identity option of the Azure Service. Once, identity has been assigned to the Azure resource, it can request a token from Azure AD. This identity cannot be shared means it can be associated to a single Azure Resource at a time.

User-assigned: This identity can be assigned to a single Azure resource. Once an identity has been created, then you have to explicitly delete it. This identity can be shared, which means it can be associated with multiple Azure Resource.

Azure Key Vault can be accessed using System Identity and User Identity, but we will use User-Managed Identity to access a Azure Key Vault.

Implementation

So, let’s start the implementation by following steps:-

  1. Create Azure Resources: We need App Service, Azure Key Vault, and Managed Identity resources to achieve. Steps to create these resources are straight forward so not covered to keep things simple.
1. Resources

2. Permission Setup: The managed user identity<kvusr> needs permissions to the Key Vault <kvusridentity> to perform operations (EX: Get, List, Create and Update, etc.). So, we will add necessary permissions to the User-Managed Identity to access the key vault. Steps to apply the permission are shown:-

  • Navigate to Resource Group > User Identity<kvusr> and copy the Client ID
2. Copy Client ID
  • Navigate to Resource Group > Key Vault<kvusridentity> > Access policies > Select Principal > Search Principal> Add Access Policy and Save it.
3. Add Access Policies
  • Now, user has to Get and List permissions on secrets and keys to the key vault. These permissions could be changing as and when needed.
4. Key Vault Permission
  • Next, navigate to App Service <kvuseridentity> > Identity > Select “User Assigned” > Click Add > search user assigned managed identities > Select and Add.
5. App Permissions

3. Create Web App: Create a .Net Core 3.1 MVC Web application and add NuGet packages as mentioned

  • Microsoft.Azure.KeyVault (3.0.5)
  • Microsoft.Azure.Services.AppAuthentication (1.6.1)

4. Code Setup: After setting up the necessary permissions and project, we can add code to see the things in actions.

  • Add C# code add shown into Index method. If any compile time errors, please try to resolve those.
  var clientId = "<ClientID>";
            
  var useridentity = $"RunAs=App;AppId={clientId}";
            
  AzureServiceTokenProvider azureServiceTokenProvider 
                    = new AzureServiceTokenProvider(useridentity);
  KeyVaultClient keyVaultClient 
        = new KeyVaultClient(new 
           KeyVaultClient.AuthenticationCallback
           (azureServiceTokenProvider.KeyVaultTokenCallback)
  );
  string kvUrl = "https://<KeyVault>.vault.azure.net/";
  var secretItems = await keyVaultClient.GetSecretsAsync(kvUrl);
  return View(secretItems.ToList());
  • Replace below code into your Index.cshtml
@{
    ViewData["Title"] = "Home Page";
}
@foreach (var item in Model)
{
    <div>
        @($"ID : {item.Id}, Name : {item.Identifier.Name}")
    </div>
}
  • Build the code publish it to the Azure App Service <kvuseridentity>.

Output

The code is written to read the secrets from key vault so let’s create some secrets in key vault.

6. Add Secrets
  • Run Azure App Service <kvuseridentity> to verify the output.
7. App Output

So, we have seen that how to use User-Managed Identity to access key vault. Similar way, other Azure services can be accessed using user-managed identity. There might be difference in code implementation when working with other services, but the core concept, like permission, is same for the User-Managed Identity.

If you have any suggestions/feedback, please put them in the comment box.

Happy Learning 🙂

Leave a Reply

Up ↑

%d bloggers like this: