Microsoft Azure - Using Azure Key Vaults

To use secure configuration for Azure Functions with Azure Key Vault. You can secure secrets in Azure Key Vault and read them easily in an Azure Function. Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.

Why Azure Key Vault?

The main purpose of using Azure key Vault in Microsoft Azure is to encrypt the data of any applications. Following are some of the main purposes to use Azure Key Vault.

1. Securely store secrets and keys: Azure Key Vault is highly secure when it comes to data protection of applications such as keys and secrets. It is protected from users who don't have access to the vaults. and also it protects the other resources which are from Azure accessing the data of your application without sufficient permissions.
2. Centralize application secrets: Azure Key Vault will help you to manage the same data of different applications in a centralized manner where it makes easier for multiple applications to manage the data.
3. Monitor: You can monitor the data of the application which is encrypted ad also you can set up alerts based on the operations performed on the data.
4. Scalability: Azure Key vaults are highly scalable without human intervention. The Azure key vaults will be scaled depending on the data of the application size.

Key Concepts in Microsoft Azure Key Vault

The main purpose of the Azure key vault is to encrypt the data which is stored in Azure Resources. Following are the some of main key points before creating a Microsoft Azure key vault.

1. Key Vault: The key vault in Azure is used to store the keys, secrets, and certificates provided are created by Microsoft Azure.
2. Key: With the help of keys you are going to perform certain operations like encryption, decryption, and signing, and the keys are stored in the key vault.
3. Vault Owner: The owner of the vault will have all the control of the vaults he can manage the keys and secrets or certificates which are stored in that vault. He can perform the tasks like auditing and monitoring and some other tasks which are useful to the vault. You can Assign a Dedicated Key Vault Administrator Role to a User in Azure.
4. Certificates: You can store the certificates like SSL and TSL which are used for web applications.

Features Of Azure Key Vaults

Following are some features of Azure key vaults.

1. Highly Secure: Your data which is stored in the Azure Cloud will be encrypted with the help of Azure Key Vault which is stored in the hardware security modules(HSMs).
2. Monitor and Aduit: The Azure Keys which you are using to encrypt and protect your data will be using pipe logs and event management (SIEM) to continuously manage and analyze the data protection.
3. Integrate With Resources: You can integrate the resources with the Azure Key vaults like Azure Virtual Machines and Azure RBAC and some other resources by which you can encrypt the data with the help of keys stored in the vault.
4. Restore and Backup: You can back up the data which is stored in the key vaults. If you delete the data sometimes it will help you to restore the data also.
5. High Availability: If you store the key vaults in one region there might be a failure of that region so Microsoft Azure will make sure that data is replicated to multiple regions and if any one of the regions fails you can access the data from another region.

How To Configure Azure Key Vault?

Follow the below steps to use secure configuration for Azure functions with Azure key vault: To know more about How to Store and Manage Passwords By Using Azure Key Vault?

Step 1: In Visual Studio,Create a new Azure Function here. You can also use Visual Studio Code or another tool to do this if you want.

Step 2:  Give it a name and hit "Create".

Step 3:  Now, pick the HTTP trigger and set that to anonymous so that you can test it easily.

Step 4: Now, in the function add a couple of lines of code. These read the application settings called, MySecret from the configuration of the function, and it will show the value in the log. 

Step 5: Finally, publish it. Again, create a new Azure Function.

Step 6:  Pick your resource group and select another location. While this is working, switch to the Azure portal.

Step 7: Here, you are going to create an Azure Key Vault. Select your resource group again and give the Key Vault a name. Create it.

Step 8:  Switch to the Azure Function. This has now been published to Azure. Here, you need to go to Platform Features and Identity. Because there you can create an Azure Managed Service Identity for the function, you will use that to connect to Azure Key Vault without needing API keys.

Step 9: Now, go back to the Key Vault that has now been deployed. In here, go to "Access policies", and add one here. 

Step 10: Add an Access policy for the Azure Function Managed Identity and it will be able to do whatever it wants with Key Vault secrets. Save it. 

Step 11: Now add a secret. Generate and import, name it as you want, and give it a value, which is a secret value and create it.

 Step 12: The secret has one version, and has the details. You will need the Secret Identifier, so copy it and now go back to the Azure Function. 

Step 13: Go to Configuration. Here, you will add a new item. The name of the item will be MySecret. This has nothing to do with a Key Vault secret, but it has to do with the value that the code in the Azure function will read. Now, here is a nifty part. In the value, you put this, this format references the Azure Key Vault and gets the secret with the identifier that you have just copied. So you don't have to connect to the Key Vault in any way, just use this format as the Managed Service Identity. Now save it. 

Step 14: Now, test the function and run it. Take a look at the log. The secret value comes directly from Azure Key Vault. Connecting Azure Key Vault to Azure Functions is easy. 

Hence, this is how you can use Azure Functions and secure configuration with Azure  Key Vaults.

Creating a Key Vault in Azure Using Azure CLI

You can setup Azure Key Vault with the help of Azure CLI by following the steps mentioned below:

Step 1: Sign into the Azure account by using the following command.

az login

Step 2: You can create the Azure Key Vault by using the following command.

az keyvault create --name <key_vault_name> 
--resource-group <resource_group_name> 
--location <azure_region>

Replace the name of the key vault with the name you required as well as the resource group name and also the region where you should need to configure the Azure Key Vault.

By following the steps mentioned above you can easily create the Azure Key Vault with the help of Azure CLI.

Pricing of Microsoft Azure Key Vault

The price of Azure Key Vault will depend upon the various factories as follows.

1. For the cryptographic assets such as keys, secrets, and certificates, in Azure Key Vault you will be charged for the usage of the resources it is like a pay-as-you-go model.
2. If you perform operations such as read and write operations will be charged according to the write and read operations you have made.
3. If you have transported the keys and secrets and application certificates in and out you will be charged on the amount of data transferred.
4. If you want to protect the data from deletion you can use certain features from the soft delete you will be charged according to that also.For more details you can refer- How to Create a Key Vault with Purge Protection Enabled in Azure, article.