Azure Key Vault Integration

In this topic:

See External Secrets for more on the general topic of Secret Server and external vaults.

Introduction

The Azure Key Vault (AKV) Integration simplifies management and governance of NHI's and secrets from the CSP's native vaults. With AKV you can centrally manage and update secrets to one or more Azure Key Vaults, and rotate passwords or values more frequently. With fine grained roles and permissions, audit and logging, the AKV integration provides increased governance, visibility, and awareness of secrets managed in Azure Key Vault without affecting development velocity or processes. The AKV integration is available on Secret Server Cloud, the Delinea Platform, and Secret Server On-Premises.

With Azure Key Vault Connector, you can:

  • Link external vaults to Secret Server.
  • Identify and categorize non-human identities into folders.
  • Manage and sync secrets from external vaults to a central Delinea vault.
  • Control access by applying fine-grained permissions.
  • Regularly rotate secrets to maintain a strong security posture.
  • Use Secret Server to keep external vaults in sync.

What is Azure Key Vault?

Azure Key Vault (AKV) is a secure cloud service provided by Microsoft Azure for storing and managing sensitive information such as secrets, encryption keys, and certificates. It offers two service tiers: Standard, which uses software encryption, and Premium, which includes Hardware Security Module (HSM) protection. The Delinea AKV connector is a connection to AKV with GUI elements on the Secret Server side.

Key features of AKV include:

  • Access Control: Uses Azure role-based access control (RBAC) for the management plane and either RBAC or key vault access policies for the data plane.
  • Auditing and Monitoring: Provides logging capabilities for all key vault operations.
  • Certificate Management: Enables easy provisioning, management, and deployment of TLS/SSL certificates.
  • Encryption: All secrets are encrypted at rest using a hierarchy of encryption keys protected by FIPS 140-2 compliant modules.
  • Key Management: Facilitates the creation and control of encryption keys used to protect data.
  • Secrets Management: Securely stores and controls access to tokens, passwords, API keys, and other sensitive data.

AKV helps solve various security challenges in cloud environments, supporting the "use least privilege access" principle of the zero trust security strategy. It centralizes the storage of application secrets, reducing the chances of accidental leaks.

To use AKV, it must be associated with a resource group within the same application/environment combination. Access to AKV is controlled through two interfaces: the management plane for managing the vault itself, and the data plane for working with the stored data. To learn more access About Azure Key Vault.

Connecting with AKV—The App Registration Process

The following procedure makes AKVs available in Secret Server:

  1. Go to your Azure portal.

  2. From the Azure services section, select App Registrations. The aforementioned page loads.

  3. Click on the app you want to use from the list.

  4. Access Secret Server.

  5. Create a new secret using the Azure Application Registration template.

  6. Fill in the following fields:

    • Secret name: give the secret an appropriate name.

    • Client ID: Type in the Client ID of the Azure AD Application.

    • Client Secret: Type in the Client Secret (Value) for the Azure AD Application.

    • Tenant ID: Type in the Tenant ID of the Azure AD Application.

    • Optionally, fill in the Notes field.

    • Optionally, change the Site field to one you need, otherwise leave as Default.

  7. Select Create Secret to save your changes.

  8. Within the Azure Portal, access Manage > Certificates and Secrets.

  9. Create a new client secret.

    You must copy the Value at the time of client secret creation as Azure will not allow you to go back and copy the value later. If you do not copy the value at this time, you have to create a new client secret.

  10. Paste the value you copied from the Azure Portal into the Client Secret field of the secret in Secret Server:

  11. Click Save to apply your changes.

If you intend to use the automatic list feature to select the external vault for the connection, you must have the Key Vault Administrator role inherited in Azure.
  1. Access Secret Server.
  2. From the left navigation panel, select Secrets > External Secrets. The External Secrets page appears.
  3. Click the Create dropdown button and select Create External Vault Link. The Create External Vault Link page appears.
  4. For Type, select Azure Key Vault.

  5. For Credential secret, select the No secret selected link and choose the secret you just created previously in Secret Server during the app registration process. This is the secret that has proper access to query and write to AKV and will be used for all connections.

    The minimum Azure Key Vault data plane permissions required for this secret in Azure under secret management operations are:

    • Get

    • List

    • Set

  6. How to grant these permissions in the Azure Portal:

    1. Go to https://portal.azure.com

    2. Navigate to the Key Vault you want Secret Server to manage.

    3. In the Key Vault menu on the left, click Access policies.

    4. Select + Add Access Policy, to add a new access policy.

    5. In the permissions list, under Secret permissions, select the checkboxes for:

      1. Get

      2. List

      3. Set

      You can skip other permissions unless you need them.

    6. Click Select principal, then search for your App Registration / Service Principal that Secret Server will use.

    7. Select it and click Select.

    8. Click Add, then Save on the main Access policies page.

    That updates the Key Vault’s access policy so the Secret Server credential secret has the necessary Get/List/Set rights to the vault.

  7. For Input type:

    1. If you choose Automatic List:
      1. You are automatically presented all available vaults for your Azure subscriptions. Once the Azure key vault account connects, a green Connected indicator appears at the top of the page.
      2. Click to select the checkboxes for the desired vaults.
    2. If you choose Manual Entry:
      1. Type the name of the Azure key vault you want to connect to, in the External Name text box. This name MUST exactly match the vault name in the external system to correctly link them.
      2. The Display name will automatically match the External Name of the vault, unless you manually change it.
  8. Select Save.
  9. You are prompted to synchronize the external vault. This step performs a pull on the vault and then a push on each active and linked external secret. This pulls all the secrets from the linked AKV into the Secret Server UI.

  10. Synchronize the vault. The external vault summary page will show these results:

    • Name of the vault.

    • State: enabled or disabled.

    • Last pull status.

    • Number of external secrets

    • Credential secret used

  11. Select the External Secrets tab to view the list of external secrets.
  12. Change the Status to All states to view the list of external secrets. All external secrets are initially disabled. This means no secrets are synchronized from Secret Server to the AKVs.

Managing External Secrets

  1. Log into Secret Server.

  2. Navigate to Secrets > External Secrets. The External Secret grid appears.

    After you have linked at least one external vault, you will see a list of external secrets here.

  3. In the grid you can:

    • Search for a specific secret.
    • View all secrets, enabled or disabled.
    • View only “enabled” or “disabled” secrets.
    • View or manage permissions.
    • View audit events.
    • View the log.

  4. Select a secret in the grid. Now, you can perform a few more actions:

    • Set remote value: Sets a new value on the external secret in AKV.

    • View remote value: View the current value on the external secret in AKV.

    • Push: To propagate the changes made through edits to the secret(s).

    • Edit: Modify the secret and set properties.

    • Enable or disable synchronization for the secret.

    • Select a secret to link to. That secret serves as the master secret in Secret Server.

      You can link one or more external secrets to a single master secret. You can sync the same secret/vault from a single master secret to secrets in multiple key vaults.

    • Perform Remote Password Changing (RPC) on the master, which propagates to all the enabled linked external secrets.

    • Transform, which allows you to select the fields you want updated on the external secret(s).

      Transforms are defined in the secret template for the master secret. For example, Password (password) links the password field from the master secret and updates all linked enabled external secrets with the value of password field.

      You can also define a string format and insert field values from the linked secret using $secret.slug.notation. For example, Password: $secret.slug.password sets the external secret value as password 1234pass, where 1234pass is the actual password from the master secret. Transform allows you to copy and paste the slug name or simply click on the + sign to add it in the box below.

Bulk Operations with the External Secret Grid

The external secret grid provides a central location in Secret Server to manage external secrets. When selecting external secrets in the grid, you can select to push or edit these items all at once, which is a bulk operation. This is useful for linking multiple external secrets from one or more vaults to a single master secret.

Performing a bulk operation on multiple external secrets:

  1. Select all or a few secrets from the grid.

  2. Push and Edit are now available actions for these secrets.

    • Push allows for changes from the master secret or secrets in Secret Server to affect the linked secrets in AKV.

    • Edit allows you to perform additional bulk actions such as:

      • Toggle the Synchronization enabled/disabled state.

      • Select Apply to all or Cancel.

        The heading shows the number of secrets that will be affected by this bulk action.

Simultaneously Creating Master and External Secrets in AKV

How to create a new master secret along with an external secret at the same time in AKV:

  1. Access Secret Server.
  2. Create a secret using any template. For this example, use the Azure AD Account secret template.
  3. Fill in the secret name, domain, username and password fields and select Create Secret. The secret loads automatically on the screen.
  4. Select External Secrets from the left-hand menu.
  5. Click Create, then select Create external secret from the drop-down.

  6. Type in the name of the External secret.

  7. Choose the External vault where you want to create this secret from the drop-down.

  8. Choose whether to enable Synchronization or not by selecting the checkbox.

  9. For Linked Secret, click on No secret selected and choose the secret you just created.

  10. If you want to sync any fields with the external secret, add those to the Transform section.

  11. From the Merge secret field drop-down choose Password (password) to sync passwords from the master secret to the linked secret in AKV.

  12. Select Save to keep your changes.