Category: Powershell

Use Azure Key Vault from a Web App

Reference

prerequisites:

Setup Azure Key Vault

NuGet packages
Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory 
Install-Package Microsoft.Azure.KeyVault
web.config
<!-- ClientId and ClientSecret refer to the web application registration with Azure Active Directory -->
<add key="ClientId" value="clientid" />
<add key="ClientSecret" value="clientsecret" />

<!-- SecretUri is the URI for the secret in Azure Key Vault -->
<add key="SecretUri" value="secreturi" />
<!-- If you aren't hosting your app as an Azure Web App, then you should use the actual ClientId, Client Secret, and Secret URI values -->
Utility code
//add these using statements
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System.Threading.Tasks;
using System.Web.Configuration;

//this is an optional property to hold the secret after it is retrieved
public static string EncryptSecret { get; set; }

//the method that will be provided to the KeyVaultClient
public static async Task<string> GetToken(string authority, string resource, string scope)
{
    var authContext = new AuthenticationContext(authority);
    ClientCredential clientCred = new ClientCredential(WebConfigurationManager.AppSettings["ClientId"],
                WebConfigurationManager.AppSettings["ClientSecret"]);
    AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);

    if (result == null)
        throw new InvalidOperationException("Failed to obtain the JWT token");

    return result.AccessToken;
}
// Using Client ID and Client Secret is a way to authenticate an Azure AD application.
// Using it in your web application allows for a separation of duties and more control over your key management. 
// However, it does rely on putting the Client Secret in your configuration settings.
// For some people, this can be as risky as putting the secret in your configuration settings.
Retrieve the secret on Application Start
//add these using statements
using Microsoft.Azure.KeyVault;
using System.Web.Configuration;

// I put my GetToken method in a Utils class. Change for wherever you placed your method.
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(Utils.GetToken));
var sec = await kv.GetSecretAsync(WebConfigurationManager.AppSettings["SecretUri"]);

//I put a variable in a Utils class to hold the secret for general application use.
Utils.EncryptSecret = sec.Value;

 

Setup Azure Key Vault

In this post will be simple walk through how to setup Azure Key Vault to be used from a web site not hosted on Azure. Reference

Get an Azure account

Go to http://portal.azure.com and set up an account.

Get Powershell and Azure powershell

Go to install Powershell

After installation is complete open a Powershell command prompt and run.

Install-Module -Name AzureRM
Sign in
# Import the module into the PowerShell session
Import-Module AzureRM
# Connect to Azure with an interactive dialog for sign-in
Connect-AzureRmAccount
Create a new resource group
New-AzureRmResourceGroup –Name 'MyResourceGroup' –Location 'East US'
Create an Azure Key vault
New-AzureRmKeyVault -VaultName 'MyKeyVault' -ResourceGroupName 'MyResourceGroup' -Location 'East US'
  • Vault URI: https://mykeyvault.vault.azure.net/. Apps the use the REST API to access the vault. Note: the vault has to have globally unique name, mykeyvault is already taken, so use something different.
Add a secret to the Azure Key Vault
$secretvalue = ConvertTo-SecureString '!Passw0rd' -AsPlainText -Force
$secret = Set-AzureKeyVaultSecret -VaultName 'MyKeyVault' -Name 'MyPassword' -SecretValue $secretvalue

Secret URI:

https://mykeyvault.vault.azure.net/secrets/MyPassword

To display the URI for this secret, type:

$secret.Id

To view your secret, type:

Get-AzureKeyVaultSecret –VaultName 'MyKeyVault'

Authorize app to access the Azure Key Vault

Note: the service principle name will be the client ID (sometimes referred to as the application ID).

To get secrets

Set-AzureRmKeyVaultAccessPolicy -VaultName 'ContosoKeyVault' -ServicePrincipalName 8f8c4bbd-485b-45fd-98f7-ec6300b7b4ed -PermissionsToSecrets Get

To access keys

Set-AzureRmKeyVaultAccessPolicy -VaultName 'ContosoKeyVault' -ServicePrincipalName 8f8c4bbd-485b-45fd-98f7-ec6300b7b4ed -PermissionsToKeys decrypt,sign