Azure Key Vault Integration

In this topic:

Introduction

Azure Key Vault (AKV) Integration simplifies management and governance of NHI's and secrets from the CSP's native vaults. With AKV integration you can centrally manage and update secrets to one or more Azure Key Vaults and rotate passwords or values more frequently. With fine-grained roles and permissions, audit and logging, AKV integration provides increased governance, visibility, and awareness of secrets managed in Azure Key Vault without affecting development velocity or processes. AKV integration is available on Secret Server Cloud, the Delinea Platform, and Secret Server On Premises.

With Azure Key Vault Connector, you can:

  • Link external vaults to Secret Server.
  • Identify and categorize non-human identities into folders.
  • Manage and sync secrets from external vaults to a central Delinea vault.
  • Control access by applying fine-grained permissions.
  • Regularly rotate secrets to maintain a strong security posture.
  • Use Secret Server to keep external vaults in sync.

What is Azure Key Vault?

Azure Key Vault (AKV) is a secure cloud service provided by Microsoft Azure for storing and managing sensitive information such as secrets, encryption keys, and certificates. It offers two service tiers: Standard, which uses software encryption, and premium, which includes hardware security module (HSM) protection. The Delinea AKV connector is a connection to AKV with GUI elements on the Secret Server side.

Key features of AKV include:

  • Access Control: Uses Azure role-based access control (RBAC) for the management plane and either RBAC or key vault access policies for the data plane.
  • Auditing and Monitoring: Provides logging capabilities for all key vault operations.
  • Certificate Management: Enables easy provisioning, management, and deployment of TLS/SSL certificates.
  • Encryption: All secrets are encrypted at rest using a hierarchy of encryption keys protected by FIPS 140-2 compliant modules.
  • Key Management: Facilitates the creation and control of encryption keys used to protect data.
  • Secrets Management: Securely stores and controls access to tokens, passwords, API keys, and other sensitive data.

AKV helps solve various security challenges in cloud environments, supporting the "use least privilege access" principle of the zero trust security strategy. It centralizes the storage of application secrets, reducing the chances of accidental leaks. To use AKV, it must be associated with a resource group within the same application/environment combination. Access to AKV is controlled through two interfaces: the management plane for managing the vault itself, and the data plane for working with the stored data.

  • Learn more About Azure Key Vault.

    • What Is Distributed Vaulting?

    Distributed vaulting is a security approach that stores and manages sensitive data, such as encryption keys, secrets, and certificates, across multiple locations, systems, or environments. This decentralized architecture provides several benefits:

    • Centralized Secret Control: Store, manage, and rotate secrets from a single interface. Enforce consistent access policies and permissions across all secrets. Unified view of all secrets with a single source of truth.
    • Competitive Advantage: By implementing distributed vaulting, organizations can gain a competitive advantage by enhancing security, agility, compliance, and customer trust while reducing costs and improving business continuity.
    • Enhanced Availability: Data is available even if one location or system is compromised or experiences downtime.
    • Improved Development Environment: Securely manage all cloud secrets without impacting developer velocity or CI/CD pipelines. CI/CD (Continuous Integration/Continuous Deployment) pipelines are automated workflows that streamline the software development process. They integrate, test, build, and deploy code changes, ensuring faster, more reliable, and higher-quality software releases.
    • Improved Security: By spreading sensitive data across multiple locations, you reduce the attack surface and make it more difficult for unauthorized access.
    • Increased Scalability: Distributed vaulting allows for easier expansion and adaptation to growing security needs.
    • Connecting with Your Legacy Delinea Vault: Integrating Secret Server On-Premises with Delinea Platform.
    • Reduced Single Point of Failure: No single location or system holds all sensitive data, minimizing the risk of catastrophic data loss.

    Terminology and Concepts

    AKV integration uses several new terms and concepts. Some of the term definitions are slightly different than common usage.

    Auditing

    All changes to linked secrets are audited and the audit grid indicates how many items we changed. Expanding the panel by clicking on the row shows the changeset that includes the changes for each update. Permission updates include what permissions were assigned or removed from which user.

    Creating a Vault

    "Creating a vault" links an existing external vault to Secret Server. You are not creating the actual external vault. That is, you are creating its internal representation within Secret Server with the external vault. The name must exactly match the name of an already existing external vault. The credential secret should have Get, List, and Set permissions within Azure under Secret Management Operations.

    New Vault Initial State

    After successfully validating the connection to the external vault you are prompted to pull in the matching information from the vault. This process only pulls in links to the existing external secrets inside Secret Server. At this point, no data is updated in the external vault.

    Secrets first appear as disabled. A disabled secret means Secret Server will not push or pull any data to or from the external vault for that secret.

    External Secret

    An external secret is a secret inside Secret Server that is linked with a secret in an external vault. It is called an external secret because it represents a linked secret in the other vault.

    In short, an external secret is mostly just a metadata mapping to a secret in the external vault.

    External Secret Fields

    An external secret contains the following fields, which are available on the External Secret page:

    • External Vault: The vault on the external machine that contains its matching secret.
    • Name: The name of the secret, which cannot be changed.
    • Last Push: Indicates the last time a change was pushed to the linked secret on the external vault.
    • Linked Secret: A secret in Secret Server that is connected to the external secret and thus to a secret in the external vault. Any changes to it are pushed to the external secret.
    • Transform: The formula used to push changes to the linked secret on the external server. For example: Machine: $secret.field.machine; Password $secret.field.password would push the value of the machine and password fields into the linked secret in the external vault. There is a formula editor that shows available fields once a secret is selected.

    An external secret can have one of the following states:

    • Enabled: Indicates the secret is live and any changes to it triggers an update to the external vault.
    • Disabled: Indicates the secret cannot receive any changes. That is, no changes can be pushed to this secret from the external vault.

    External Secret Actions

    There are several actions that can be taken with an external secret:

    • Set External Value: This function accepts any text and assigns it to a secret in the external vault. This function does not require a linked secret or transform and will ignore any of those and just assign the value that is entered.
    • View External Value: View the current value for a secret in the external vault, not necessarily a linked secret.
    • Push: Merge the transform data from the linked secret and update the value in the external vault. New versions of the external secret will only be added if it has changed values.
    • Edit: Edit the secret's metadata.

    External Secret Grid

    The external secret grid provides a central location in Secret Server to manage external secrets. When selecting external secrets in the grid, you can select to push or edit these items. Bulk edits allow you to update and link multiple external secrets at once.

    External Vault

    External vault is a vault that is outside of Secret Server—one AKV is hosting. That external vault is where default permissions are assigned via the connector, and you can perform a couple of actions on that vault:

    • Push: Update any active secrets in the external vault that are linked with a transform to Secret Server.
    • Pull: Retrieve all the secret names in the external vault and create a pointer record.
    • Synchronize: Performs a pull (from the external vault) and then a push (to the external vault). Once completed both Secret Server and the external value are updated with the other's changes.

    Permissions

    Permissions are assigned to the external vault and any secret within the vault uses those permissions by default. On each secret, you can override the vault permissions if needed, and assign completely different permissions.

    It is essential to set the Azure Key Vault Secret Officer permission to the key vault(s) you want to manage. If you don't set this permission for the application registration, then the integration fails.

    Role Permissions

    Search for Roles and select the Administrator role. Access the Permissions tab to set the following permissions:

    • Create External Vault Links: Allows you to setup a connection to an existing external vault. You can then assign permissions to other users.
    • View External Vaults: Allows you to access the external vault feature but you cannot manipulate external vaults.

    External Vault Permissions

    Vault permissions govern what a Secret Server user can do with the external vault:

    • Edit Vault: Can change the settings for the vault.
    • Edit Vault Permissions: Can assign any permission to any user on the vault.
    • Pull: Can execute a pull on the vault.
    • View External Values: Can view or set a remote value on any secret within the vault. The user also needs "View Remote Value" or "Set Remote Value" on the secret.
    • View Vault: Can view the vault and all information, including permissions.

    Vault Secret Permissions

    These permissions can be defined on the external vault as well as each secret. The values assigned on the vault are the default permissions used by any secret that inherits permissions from the vault.

    When viewing a Delinea secret, an “External secrets” tab appears that lists all of the external secrets linked to the secret.

    External vault secret permissions:

    • Edit External Secret: Allows you to change any of the fields on the secret including status, linked secret, and transform.
    • Edit External Secret Permissions: Allows you to assign any permission to the secret.
    • Push: Allows you to run the push action which will apply the linked secret to the transform and then push or update that value in the external vault.
    • Set External Secret Remote Value: Allows you to assign a free-form value directly to the external secret. This requires ‘View external values’ on the parent vault.
    • View External Secret: Allows you to view the secret and any of the associated information such as permissions and auditing.
    • View External Secret Remote Value: Allows you to retrieve and view the actual value for the secret in the external vault. Requires "View External Values" on the parent vault.

    • Azure Key Vault Secret Officer: Allows you to perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the Azure role-based access control permission model. This permission is mandatory for application registration success.

    Connecting Secret Server with an AKV—App Registration Process

    The following procedure makes AKVs available in Secret Server.

    1. Go to your Azure portal.

    2. Type App registrations in the search bar.

    3. Click the All applications tab.

    4. Click on the application you want to use or create a new one.

    5. Find within the application the following and copy the values:

      • Application (client) ID.
      • Directory (tenant) ID.

    6. Go to Manage > Certificates and Secrets.

    7. Click New Client Secret.

    8. Enter a description for the client secret.

    9. Enter an expiration date or keep the default option of 6 months.

    10. Click Add to create the secret. The page refreshes automatically with the secret details on display.

    11. Copy the Value that is generated, it will be needed for secret creation in Secret Server.

      You must copy the Value at the time of client secret creation as Azure will not allow you to go back and copy the value later. If you do not copy the value at this time, you have to create a new client secret.

    12. In Secret Server, create a new secret using the Azure Application Registration template, and fill in the following fields:

      1. Secret Name

      2. Client ID (from the Azure application)

      3. Client Secret (the Value data you saved upon Azure secret creation)

      4. Tenant ID (from the Azure application)

      5. (Optional) Notes

      6. (Optional) Site

    13. Click Create Secret to save your changes. The Overview page for your new secret loads automatically. The Password Compliance test runs automatically verifying the date given:

      This is the secret that needs to have proper access to query and write to AKV and will be used for all connections.

      The minimum permissions required for this secret in Azure under secret management operations are: Get, List, Set.

    1. In the Azure Portal, search for Key Vaults and select or create one.
    2. Go to Access Control (IAM) for the Key Vault you wish to access.
    3. Select the Roles tab.

    4. Search for the Key Vault Secret Officer role and select the checkbox:

    5. Click Add and select Add Role Assignment. The list of available Roles loads.
    6. Search for the Key Vault Secret Officer role.
    7. Select the Members tab.
    8. Choose what type of member to Assign access to, either a User, group or service principal OR a Managed Identity.
    9. For this example, choose the first option.
    10. Click on + Select Members, a side panel opens where you can search for the user you wish to assign. In this case, select the application you created earlier, e.g. "Azure Key Vault Delinea Integration".
    11. Click Next.
    12. In the Review + assign click on the Review + assign button if all details are correct. The process will take a moment to finish.
    13. In Secret Server search for and select Roles.
    14. Create a new role called Key Vault Secret Officer.
    15. Under the Permissions tab for that role, change the Scope to All, and click Edit.
    16. Search for View External Vaults and Create External Vault Links, add both permissions to this role.
    17. Access Users and create a new user, making sure the domain is the same as the one used to access your Azure Portal.
    18. In the Roles tab for this user, select Edit.
    19. Search for the role you just created add it to this user.
    20. Search for and select External Secrets.
    21. Click the Create external vault link button. The Create external vault link page appears.
    22. Select a Credential Secret by clicking the No secret selected button.
    23. A list of secrets with the Azure Application Registration template loads automatically.
    24. Select the secret you created in the previous section in Secret Server. It should load with the green Connected status.
    25. Set the Input Type set to Manual Entry.
    26. In the External Name field, type the name of the Azure key vault you want to connect with. The name must be an exact match with the name of the key vault in the portal.
    27. The Display Name field automatically updates to match the External Name value.
    28. Click the Save button.
    29. You are prompted to synchronize the external vault. This step performs a pull on the vault and then a push on each active and linked external secret. This pulls all the secrets from the linked AKV into the Secret Server UI.
      This is where an error usually occurs if setup in the Azure portal wasn't done correctly.

    30. Synchronize the vault. The external vault summary page will show these results:

      • Name of the vault.

      • State: enabled or disabled.

      • Last pull status.

      • Number of external secrets

      • Credential secret used

    31. Select the External Secrets tab to view the list of external secrets.
    32. Change the Synchronization to All states to view the list of external secrets. All external secrets are initially disabled. This means no secrets are synchronized from Secret Server to the AKVs.

    Managing External Secrets

    1. In Secret Server search for and select External Secrets. The External Secret grid appears. After you have linked at least one external vault, you will see the list of external secrets here.

    2. In the grid you can:

      • Search for a specific secret.
      • View all secrets, enabled or disabled.
      • View only “enabled” or “disabled” secrets.
      • View or manage permissions.
      • View audit events.
      • View the log.

    3. Select a secret in the grid. Now, you can perform a few more actions:

      • Set remote value: Sets a new value on the external secret in AKV.

      • View remote value: View the current value on the external secret in AKV.

      • Edit the secret and set properties.

      • Enable or disable synchronization for the secret.

      • Select a secret to link to. That secret serves as the master secret in Secret Server. You can link one or more external secrets to a single master secret. You can sync the same secret or vault from a single master secret to secrets in multiple key vaults.

      • Perform Remote Password Changing (RPC) on the master, which propagates to all the enabled, linked external secrets.

      • Transform, which allows you to select the fields you want updated on the external secrets. Transforms are defined in the secret template for the master secret. For example, Password (password) links the password field from the master secret and updates all linked enabled external secrets with the password field's value.

        You can also define a string format and insert field values from the linked secret using $secret.slug.notation.

        For example, Password: $secret.slug.password sets the external secret value as password 1234pass where 1234pass is the actual password from the master secret. Transform allows you to copy and paste the slug name or simply click on the + sign to add it in the box shown above.

    Bulk Operations with the External Secret Grid

    The external secret grid provides a central location in Secret Server to manage external secrets. When selecting external secrets in the grid, you can select to push or edit these items all at once, which is a bulk operation. This is useful for linking multiple external secrets from one or more vaults to a single master secret.

    To perform a bulk operation:

    1. Select two or more secrets from the grid.

      The Push and Edit actions are now available for use on these secrets.
    2. Push changes from the master secret or secrets in Secret Server, to the linked secrets in AKV, while Edit performs additional bulk actions such as:
      • Toggling the enabled/disabled state.
      • Selecting a linked secret (the master secret).
      • Performing transform actions such as updating the password or adding information.

      • Select Apply to all to save your bulk edits or Cancel to return to the grid.

        The heading shows the number of secrets that will be affected by this bulk action.

    Simultaneously Creating Master and External Secrets in AKV

    There may be times where you want to create a new master secret along with an external secret at the same time in AKV:

    1. Create a secret in Secret Server using any template. For this instruction, you will use the Azure AD Account template.
    2. Type the basic information such as secret name, domain, username and password.
    3. Click the External Secrets tab.
    4. Click Create and choose Create external secret from the dropdown.

    5. Type the following information into the Create external secret page:

      • Name of the secret.

      • Choose the External vault where you want to create this secret.

      • Synchronization: Enabled or not.

      • Linked Secret: The secret you just created.

    6. If you want to sync any fields with the external secret, add those to the Transform section.
    7. Merge the secret field Password (password) to sync passwords from the master secret to the linked secret in AKV.
    8. Select Save to keep your changes. The new external secret page loads.
    9. Select Push to sync the new secret to the portal and reload it to verify that the changes synced.