Azure Key Vault Integration

In this topic:

See External Secrets for more on the general topic of Secret Server and external vaults.

Introduction

Azure Key Vault (AKV) Integration simplifies management and governance of NHI's and secrets from the CSP's native vaults. With AKV integration you can centrally manage and update secrets to one or more Azure Key Vaults and rotate passwords or values more frequently. With fine grained roles and permissions, audit and logging, AKV integration provides increased governance, visibility, and awareness of secrets managed in Azure Key Vault without affecting development velocity or processes. AKV integration is available on Secret Server Cloud, the Delinea Platform, and Secret Server On Premises.

With Azure Key Vault Connector, you can:

  • Link external vaults to Secret Server.
  • Identify and categorize non-human identities into folders.
  • Manage and sync secrets from external vaults to a central Delinea vault.
  • Control access by applying fine-grained permissions.
  • Regularly rotate secrets to maintain a strong security posture.
  • Use Secret Server to keep external vaults in sync.

What is Azure Key Vault?

Azure Key Vault (AKV) is a secure cloud service provided by Microsoft Azure for storing and managing sensitive information such as secrets, encryption keys, and certificates. It offers two service tiers: Standard, which uses software encryption, and premium, which includes hardware security module (HSM) protection. The Delinea AKV connecter is a connection to AKV with GUI elements on the Secret Server side.

Key features of AKV include:

  • Access Control: Uses Azure role-based access control (RBAC) for the management plane and either RBAC or key vault access policies for the data plane.
  • Auditing and Monitoring: Provides logging capabilities for all key vault operations.
  • Certificate Management: Enables easy provisioning, management, and deployment of TLS/SSL certificates.
  • Encryption: All secrets are encrypted at rest using a hierarchy of encryption keys protected by FIPS 140-2 compliant modules.
  • Key Management: Facilitates the creation and control of encryption keys used to protect data.
  • Secrets Management: Securely stores and controls access to tokens, passwords, API keys, and other sensitive data.

AKV helps solve various security challenges in cloud environments, supporting the "use least privilege access" principle of the zero trust security strategy. It centralizes the storage of application secrets, reducing the chances of accidental leaks. To use AKV, it must be associated with a resource group within the same application/environment combination. Access to AKV is controlled through two interfaces: the management plane for managing the vault itself, and the data plane for working with the stored data.

  • Learn more About Azure Key Vault.

    • Connecting with AKV—The App Registration Process

    The following procedure makes AKVs available in Secret Server.

    1. Create a new secret using the Azure App Registration template.

    2. Go to your Azure portal.

    3. Type App registrations in the search bar.

    4. Click the All applications tab.

    5. Click on your App you want to use if there are more than one.

    6. Find and copy into the secret the following:

      • Application or client ID.
      • Directory or tenant ID .

    7. Go to Manage > Certificates and Secrets.

    8. Create a new client secret.

    9. Copy the value that is generated and paste it into the Client Secret section of the secret in Secret Server.

    You must copy the value at the time of client secret creation as Azure will not allow you to go back and copy the value later. If you do not copy the value at that time, you have to create a new client secret.
    If you intend to use the automatic list feature to select the external vault for the connection, you must have the Key Vault Administrator role inherited in Azure.
    1. From the left navigation panel, select Secrets > External Secrets. The External Secrets page appears.
    2. Click the Create External Vault Link button. The Create External Vault Link page appears.
    3. If you are using the automatic list feature:
      1. You are automatically presented all available vaults for your Azure subscriptions, and Input type is set to Automatic List. Once the Azure key vault account connects, a green Connected indicator appears at the top of the page.
      2. Click to select the check boxes for the desired vaults.
    4. If you are not using the automatic list feature:
      1. Set Input Type to Manual Entry.
      2. Type the name of the Azure key vault you want to connect with in the Name text box. The name must exactly match the name of the key vault.
      3. Click to select the Enabled check box if you want to push changes to the vault. Leave it unchecked if you do not want to push changes to it.
    5. Click the Select secret link. A popup page appears.
    6. If the table is blank, click the All secrets toggle button.

    7. Select the credential secret you created during the app registration process. This is the secret that has proper access to query and write to AKV and will be used for all connections. The minimum permissions required for this secret in Azure under secret management operations are:

      • Get

      • List

      • Set (permissions)

    8. Click the Save button.
    9. You are prompted to synchronize the external vault. This step performs a pull on the vault and then a push on each active and linked external secret. This pulls all the secrets from the linked AKV into the Secret Server UI.

    10. Synchronize the vault. The external vault summary page will shows these results:

      • Name of the vault.

      • State: enabled or disabled.

      • Last pull status.

      • Number of external secrets

      • Credential secret used

    11. Select the External Secrets tab to view the list of external secrets.
    12. Change the Status to All states to view the list of external secrets. All external secrets are initially disabled. This means no secrets are synchronized from Secret Server to the AKVs.

    Managing External Secrets

    1. From the left navigation panel, select Secrets > External Secrets. The External Secret grid appears. After you have linked at least one external vault, you will see the list of external secrets here.

    2. In the grid you can:

      • Search for a specific secret.
      • View all secrets, enabled or disabled.
      • View only “enabled” or “disabled” secrets.
      • View or manage permissions.
      • View audit events.
      • View the log.

    3. Select a secret in the grid. Now, you can perform a few more actions:

      • Set remote value: Sets a new value on the external secret in AKV.

      • View remote value: View the current value on the external secret in AKV.

      • Edit the secret and set properties.

      • Enable or disable synchronization for the secret.

      • Select a secret to link to. That secret serves as the master secret in Secret Server. You can link one or more external secrets to a single master secret. You can sync the same secret/vault from a single master secret to secrets in multiple key vaults.

      • Perform Remote Password Changing (RPC) on the master, which propagates to all the enabled linked external secrets.

      • Transform, which allows you to select the fields you want updated on the external secrets. Transforms are defined in the secret template for the master secret. For example, Password (password) links the password field from the master secret and updates all linked enabled external secrets with the password field's value.

        You can also define a string format and insert field values from the linked secret using $secret.slug.notation. For example, Password: $secret.slug.password sets the external secret value as password 1234pass where 1234pass is the actual password from the master secret. Transform allows you to copy and paste the slug name or simply click on the + sign to add it in the box below.

    Bulk Operations with the External Secret Grid

    The external secret grid provides a central location in Secret Server to manage external secrets. When selecting external secrets in the grid, you can select to push or edit these items all at once, which is a bulk operation.

    This is useful for linking multiple external secrets from one or more vaults to a single master secret:

    1. Select all or a few secrets from the grid.

      “Push” and “Edit” are now the available actions for these secrets.
    2. Push changes from the master secret or secrets in Secret Server to the linked secrets in AKV or edit to perform additional bulk actions:
      • Toggle the enabled/disabled state
      • Select a linked secret (the master secret)
      • Perform transform actions such as updating the password or adding information

      • Select “Apply to all” or “Cancel.”

        The heading shows the number of secrets that will be affected by this bulk action.

    Simultaneously Creating Master and External Secrets in AKV

    There may be times where you want to create a new master secret along with an external secret at the same time in AKV:

    1. Create a secret inSecret Server using any template. For this instruction, we use the Azure AD Account template.
    2. Type the basic information such as secret name, domain, username and password.
    3. Click the External Secrets tab.
    4. Click Create then click Create external secret.

    5. Type the following information:

      • Name of the secret.

      • External vault where you want to create this secret.

      • Synchronization: enabled or not.

      • Linked Secret: The secret you just created.

    6. If you want to sync any fields with the external secret, add those to the Transform section. Merge the secret field Password (password) to sync passwords from the master secret to the linked secret in AKV
    7. Save your changes.