Store sensitive information with Azure Key Vault

Store sensitive information with Azure Key Vault

Azure Key Vault is a service which allows you to keep and manage passwords, certificates and other sensitive information securely. Out of the box we have capabilities to manage permissions having full control of who’ve got access to a particular type of information.

We can keep and securely manage 3 types of object:

  • Keys
  • Secrets
  • Certificates

Each item might be defined with a period of validity and activated with a future date if needed.

In this post, I gonna focus on Secrets, where you can store:

  • passwords
  • connection strings
  • logins
  • usernames
  • tokens
  • … and others sensitive string

To find out more – check Microsoft’s documentation page. (link)

Create new KeyVault

Go to Azure Portal, find “Key Vaults”, click on it and then click “Add” button. You will see “Create key vault” section. Define your own name for creating vault, select (or create new) Resource Group and select Location.

Once new Key Vault is deployed – just refresh the list and click on the name – you will see fundamental information about the service – including: name, Location, Subscription name & ID, DNS Name and Pricing tier (SKU).

Create new Key

We are interested in creating new “secret”, so go to “Secrets” and click “Generate/Import” button. We use “manual” method to input password, so choose this option, input a name (must be unique among this group in Azure Key Vault) and then: sensitive value. Optionally you can inform your team what is the content of that secret.

By default, a new key is active, enabled and has no expiration date but you can change it at any time.

Click “Create” and your first password has been stored in your Azure Key Vault:

As you can see – all keys are versionable. All previous versions of items are kept, the latest version is the current one, but you always have access to all versions if require.

Grant a permission

You can control the access to Azure Key Vaults separately to each group, granting permissions to a various set of operation on them. Below table presents what rights you may granted.

Key permissions Secret permissions Certificate permissions
Get Get Get
List List List
Update Set Update
Create Create
Import Import
Delete Delete Delete
Recover Recover Recover
Backup Backup Backup
Restore Restore Restore
Decrypt Manage contacts
Encrypt Manage Certificate Authorities
Unwrap key Get Certificate Authorities
Wrap key List Certificate Authorities
Verify Set Certificate Authorities
Sign Delete Certificate Authorities
Purge Purge Purge

In order to grant permission(s), select ‘Access policies’ from menu and you could see “Add new” button and list of objects being had permissions.

For instance, if you want to add the rights “Get” and “List” only for particular Azure Data Factory – simply check out two checkboxes in “Secret permissions” field and find an appropriate principal on the list (Select a principal). As you can see, the possibilities for granting rights go far beyond the standard “user” and “group”. You can grant permissions directly for applications or services created in Azure.

 icon-warning  Bear in mind, that (as usual) pairs “permission-object” are based on GUID rather than names. Thus, once you delete the object and create a new one even though the same name – permissions must be reassigned.

Reading the secrets

There are unlimited methods which allow you to read data from Key Vaults. Many (if not all) services and applications in Azure may get a password, connection string or token, including Azure Data Factory and Databricks. You can use any language (.NET, PowerShell, Python) you want to receive it.

In the following brief example – you can see how to read the secrets using PowerShell.

Import-Module AzureRM.KeyVault

$secret = Get-AzureKeyVaultSecret -VaultName 'kv-sqlplayer' -Name "abc-database-password"
Write-Host "Secret Value is:" $secret.SecretValueText

In the next posts, we will be using Key Vault very often.
Thanks & stay tuned.


Previous Last Week Reading (2019-01-06)
Next ASF 018 video invitation

About author

Kamil Nowinski
Kamil Nowinski 194 posts

Blogger, speaker. Data Platform MVP, MCSE. Senior Data Engineer & data geek. Member of Data Community Poland, co-organizer of SQLDay, Happy husband & father.

View all posts by this author →

You might also like

General 0 Comments

ASF 014 video invitation

– “my brain is all day all night thinking in SQL terms”. Do you know who has said that? Watch the video trailer and guess who is the next guest.

Last Week Reading 0 Comments

Last week reading (2018-02-25)

It’s was very busy and pleasant week for me. Tenth SQLBits which has taken in London this year finished yesterday. I have been working as a volunteer (one of the

General 0 Comments

SQLPlayer is renaming

It was about time. The blog and all related services are being changed the name. From SQL Player to Azure Player. You probably noticed over several years that the most


No Comments Yet!

You can be first to comment this post!

Leave a Reply