Azure Key Vault Integration

In this topic:

Introduction

Azure Key Vault (AKV) Integration simplifies management and governance of NHI's and secrets from the CSP's native vaults. With AKV integration you can centrally manage and update secrets to one or more Azure Key Vaults and rotate passwords or values more frequently. With fine grained roles and permissions, audit and logging, AKV integration provides increased governance, visibility, and awareness of secrets managed in Azure Key Vault without affecting development velocity or processes. AKV integration is available on Secret Server Cloud, the Delinea Platform, and Secret Server On Premises.

With Azure Key Vault Connector, you can:

  • Link external vaults to Secret Server.
  • Identify and categorize non-human identities into folders.
  • Manage and sync secrets from external vaults to a central Delinea vault.
  • Control access by applying fine-grained permissions.
  • Regularly rotate secrets to maintain a strong security posture.
  • Use Secret Server to keep external vaults in sync.

What is Azure Key Vault?

Azure Key Vault (AKV) is a secure cloud service provided by Microsoft Azure for storing and managing sensitive information such as secrets, encryption keys, and certificates. It offers two service tiers: Standard, which uses software encryption, and premium, which includes hardware security module (HSM) protection. The Delinea AKV connecter is a connection to AKV with GUI elements on the Secret Server side.

Key features of AKV include:

  • Access Control: Uses Azure role-based access control (RBAC) for the management plane and either RBAC or key vault access policies for the data plane.
  • Auditing and Monitoring: Provides logging capabilities for all key vault operations.
  • Certificate Management: Enables easy provisioning, management, and deployment of TLS/SSL certificates3.
  • Encryption: All secrets are encrypted at rest using a hierarchy of encryption keys protected by FIPS 140-2 compliant modules.
  • Key Management: Facilitates the creation and control of encryption keys used to protect data.
  • Secrets Management: Securely stores and controls access to tokens, passwords, API keys, and other sensitive data.

AKV helps solve various security challenges in cloud environments, supporting the "use least privilege access" principle of the zero trust security strategy. It centralizes the storage of application secrets, reducing the chances of accidental leaks. To use AKV, it must be associated with a resource group within the same application/environment combination. Access to AKV is controlled through two interfaces: the management plane for managing the vault itself, and the data plane for working with the stored data.

What Is Distributed Vaulting?

Distributed vaulting is a security approach that stores and manages sensitive data, such as encryption keys, secrets, and certificates, across multiple locations, systems, or environments. This decentralized architecture provides several benefits:

  • Centralized Secret Control: Store, manage, and rotate secrets from a single interface. Enforce consistent access policies and permissions across all secrets. Unified view of all secrets with a single source of truth.
  • Competitive Advantage: By implementing distributed vaulting, organizations can gain a competitive advantage by enhancing security, agility, compliance, and customer trust while reducing costs and improving business continuity.
  • Enhanced Availability: Data is available even if one location or system is compromised or experiences downtime.
  • Improved Development Environment: Securely manage all cloud secrets without impacting developer velocity or CI/CD pipelines. CI/CD (Continuous Integration/Continuous Deployment) pipelines are automated workflows that streamline the software development process. They integrate, test, build, and deploy code changes, ensuring faster, more reliable, and higher-quality software releases.
  • Improved Security: By spreading sensitive data across multiple locations, you reduce the attack surface and make it more difficult for unauthorized access.
  • Increased Scalability: Distributed vaulting allows for easier expansion and adaptation to growing security needs.
  • Connecting with Your Legacy Delinea Vault: Integrating Secret Server On-Premises with Delinea Platform.
  • Reduced Single Point of Failure: No single location or system holds all sensitive data, minimizing the risk of catastrophic data loss.

Terminology and Concepts

AKV integration uses several new terms and concepts. Some of the term definitions are slightly different than common usage.

Auditing

All changes to linked secrets are audited and the audit grid indicates how many items we changed. Expanding the panel by clicking on the row shows the changeset that includes the changes for each update. Permission updates include what permissions were assigned or removed from which user.

Creating a Vault

"Creating a vault" links an existing external vault to Secret Server. You are not creating the actual external vault. That is, you are creating its internal representation within Secret Server with the external vault. The name must exactly match the name of an already existing external vault. The credential secret should have Get, List, and Set permissions within Azure under Secret Management Operations.

New Vault Initial State

After successfully validating the connection to the external vault you are prompted to pull in the matching information from the vault. This process only pulls in links to the existing external secrets inside Secret Server. At this point, no data is updated in the external vault.

Secrets first appear as disabled. A disabled secret means Secret Server will not push or pull any data to or from the external vault for that secret.

External Secret

An external secret is a secret inside Secret Server that is linked with a secret in an external vault. It is called an external secret because it represents a linked secret in the other vault.

In short, an external secret is mostly just a metadata mapping to a secret in the external vault.

External Secret Fields

An external secret contains the following fields, which are available on the External Secret page:

  • External Vault: The vault on the external machine that contains its matching secret.
  • Name: The name of the secret, which cannot be changed.
  • Last Push: Indicates the last time a change was pushed to the linked secret on the external vault.
  • Linked Secret: A secret in Secret Server that is connected to the external secret and thus to a secret in the external vault. Any changes to it are pushed to the external secret.
  • Transform: The formula used to push changes to the linked secret on the external server. For example: Machine: $secret.field.machine; Password $secret.field.password would push the value of the machine and password fields into the the linked secret in the external vault. There is a formula editor that shows available fields once a secret is selected.

An external secret can have one of the following states:

  • Enabled: Indicates the secret is live and any changes to it triggers an update to the external vault.
  • Disabled: Indicates the secret cannot receive any changes. That is, no changes can be pushed to this secret from the external vault.

External Secret Actions

There are several actions that can be taken with an external secret:

  • Set External Value: This function accepts any text and assigns it to a secret in the external vault. This function does not require a linked secret or transform and will ignore any of those and just assign the value that is entered.
  • View External Value: View the current value for a secret in the external vault, not necessarily a linked secret.
  • Push: Merge the transform data from the linked secret and update the value in the external vault. New versions of the external secret will only be added if it has changed values.
  • Edit: Edit the secret's metadata.

External Secret Grid

The external secret grid provide a central location in Secret Server to manage external secrets. When selecting external secrets in the grid, you can select to push or edit these items. Bulk edits allow you to update and link multiple external secrets at once.

External Vault

External vault is a vault that is outside of Secret Server—one AKV is hosting. That external vault is where default permissions are assigned via the connector, and you can perform a couple of actions on that vault:

  • Push: Update any active secrets in the external vault that are linked with a transform to Secret Server.
  • Pull: Retrieve all the secret names in the external vault and create a pointer record.
  • Synchronize: Performs a pull (from the external vault) and then a push (to the external vault). Once completed both Secret Server and the external value are updated with the other's changes.

Permissions

Permissions are assigned to the external vault and any secret within the vault uses those permissions by default. On each secret, you can override the vault permissions and assign completely different permissions.

Role Permissions

Go to Settings > Roles > Administrator > Permissions tab to set these permissions.

Role permissions:

  • Create External Vault Links: Can setup a connection to an existing external vault. Can then assign permissions to other users.
  • View External Vaults: Can access the external vault feature but cannot manipulate external vaults.

External Vault Permissions

Vault permissions govern what a Secret Server user can do with the external vault:

  • Edit Vault: Can change the settings for the vault.
  • Edit Vault Permissions: Can assign any permission to any user on the vault.
  • Pull: Can execute a pull on the vault.
  • View External Values: Can view or set a remote value on any secret within the vault. The user also needs "View Remote Value" or "Set Remote Value" on the secret.
  • View Vault: Can view the vault and all information, including permissions.

Vault Secret Permissions

These permissions can be defined on the external vault as well as each secret. The values assigned on the vault are the default permissions used by any secret that inherits permissions from the vault.

Note: When viewing a Delinea Secret, an “External secrets” tab appears that lists all of the external secrets linked to the secret.

External vault secret permissions:

  • Edit External Secret: Able to change any of the fields on the secret including status, linked secret, and transform.
  • Edit External Secret Permissions: Can assign any permission to the secret.
  • Push: Can run the push action which will apply the linked secret to the transform and then push or update that value in the external vault.
  • Set External Secret Remote Value: Can assign a free-form value directly to the external secret. Requires ‘View external values’ on the parent vault.
  • View External Secret: Can view the secret and any of the associated information such as permissions and auditing.
  • View External Secret Remote Value: Can retrieve and view the actual value for the secret in the external vault. Requires "View External Values" on the parent vault.

Connecting Secret Server with an AKV—App Registration Process

The following procedure makes AKVs available in Secret Server.

  1. Create a new secret using the Azure App Registration template.

  2. Go to your Azure portal.

  3. Type App registrations in the search bar.

  4. Click the All applications tab.

  5. Click on your App you want to use if there are more than one.

  6. Find and copy into the secret the following:

    • Application or client ID.
    • Directory or tenant ID .

  7. Go to Manage > Certificates and Secrets.

  8. Create a new client secret.

  9. Copy the value that is generated and paste it into the Client Secret section of the secret in Secret Server.

You must copy the value at the time of client secret creation as Azure will not allow you to go back and copy the value later. If you do not copy the value at that time, you have to create a new client secret.
  1. From the left navigation panel, select Secrets > External Secrets.
  2. Click the Create external vault link button. The Create external vault link page appears.
  3. Type the name of the Azure key vault you want to connect with in the Name text box. The name must exactly match the name of the key vault.
  4. Click to select the Enabled check box if you want to push changes to the vault. Leave it unchecked if you do not want to push changes to it.
  5. Click the Select secret link. A popup page appears.
  6. If the table is blank, click the All secrets toggle button.

  7. Select the credential secret you created during the app registration process. This is the secret that has proper access to query and write to AKV and will be used for all connections. The minimum permissions required for this secret in Azure under secret management operations are:

    • Get

    • List

    • Set Permissions

  8. Click the Save button.
  9. You are prompted to synchronize the external vault. This step performs a pull on the vault and then a push on each active and linked external secret. This pulls all the secrets from the linked AKV into the Secret Server UI.

  10. Synchronize the vault. The external vault summary page will shows these results:

    • Name of the vault.

    • State: enabled or disabled.

    • Last pull status.

    • Number of external secrets

    • Credential secret used

  11. Select the External Secrets tab to view the list of external secrets.
  12. Change the Status to All states to view the list of external secrets. All external secrets are initially disabled. This means no secrets are synchronized from Secret Server to the AKVs.

Managing External Secrets

  1. From the left navigation panel, select Secrets > External Secrets. The External Secret grid appears. After you have linked at least one external vault, you will see the list of external secrets here.

  2. In the grid you can:

    • Search for a specific secret.
    • View all secrets, enabled or disabled.
    • View only “enabled” or “disabled” secrets.
    • View or manage permissions.
    • View audit events.
    • View the log.

  3. Select a secret in the grid. Now, you can perform a few more actions:

    • Set remote value: Sets a new value on the external secret in AKV.

    • View remote value: View the current value on the external secret in AKV.

    • Edit the secret and set properties.

    • Enable or disable synchronization for the secret.

    • Select a secret to link to. That secret serves as the master secret in Secret Server. You can link one or more external secrets to a single master secret. You can sync the same secret/vault from a single master secret to secrets in multiple key vaults.

    • Perform Remote Password Changing (RPC) on the master, which propagates to all the enabled linked external secrets.

    • Transform, which allows you to select the fields you want updated on the external secrets. Transforms are defined in the secret template for the master secret. For example, Password (password) links the password field from the master secret and updates all linked enabled external secrets with the password field's value.

      You can also define a string format and insert field values from the linked secret using $secret.slug.notation. For example, Password: $secret.slug.password sets the external secret value as password 1234pass where 1234pass is the actual password from the master secret. Transform allows you to copy and paste the slug name or simply click on the + sign to add it in the box below.

Bulk Operations with the External Secret Grid

The external secret grid provides a central location in Secret Server to manage external secrets. When selecting external secrets in the grid, you can select to push or edit these items all at once, which is a bulk operation.

This is useful for linking multiple external secrets from one or more vaults to a single master secret:

  1. Select all or a few secrets from the grid.

    “Push” and “Edit” are now the available actions for these secrets.
  2. Push changes from the master secret or secrets in Secret Server to the linked secrets in AKV or edit to perform additional bulk actions:
    • Toggle the enabled/disabled state
    • Select a linked secret (the master secret)
    • Perform transform actions such as updating the password or adding information

    • Select “Apply to all” or “Cancel.”

      The heading shows the number of secrets that will be affected by this bulk action.

Simultaneously Creating Master and External Secrets in AKV

There may be times where you want to create a new master secret along with an external secret at the same time in AKV:

  1. Create a secret inSecret Server using any template. For this instruction, we use the Azure AD Account template.
  2. Type the basic information such as secret name, domain, username and password.
  3. Click the External Secrets tab.
  4. Click Create then click Create external secret.

  5. Type the following information:

    • Name of the secret.

    • External vault where you want to create this secret.

    • Synchronization: enabled or not.

    • Linked Secret: The secret you just created.

  6. If you want to sync any fields with the external secret, add those to the Transform section. Merge the secret field Password (password) to sync passwords from the master secret to the linked secret in AKV
  7. Save your changes.