Store sensitive information with Azure Key Vault

Store sensitive information with Azure Key Vault

Azure Key Vault is a service which allows you to keep and manage passwords, certificates and other sensitive information securely. Out of the box we have capabilities to manage permissions having full control of who’ve got access to a particular type of information.

We can keep and securely manage 3 types of object:

  • Keys
  • Secrets
  • Certificates

Each item might be defined with a period of validity and activated with a future date if needed.

In this post, I gonna focus on Secrets, where you can store:

  • passwords
  • connection strings
  • logins
  • usernames
  • tokens
  • … and others sensitive string

To find out more – check Microsoft’s documentation page. (link)

Create new KeyVault

Go to Azure Portal, find “Key Vaults”, click on it and then click “Add” button. You will see “Create key vault” section. Define your own name for creating vault, select (or create new) Resource Group and select Location.

Once new Key Vault is deployed – just refresh the list and click on the name – you will see fundamental information about the service – including: name, Location, Subscription name & ID, DNS Name and Pricing tier (SKU).

Create new Key

We are interested in creating new “secret”, so go to “Secrets” and click “Generate/Import” button. We use “manual” method to input password, so choose this option, input a name (must be unique among this group in Azure Key Vault) and then: sensitive value. Optionally you can inform your team what is the content of that secret.

By default, a new key is active, enabled and has no expiration date but you can change it at any time.

Click “Create” and your first password has been stored in your Azure Key Vault:

As you can see – all keys are versionable. All previous versions of items are kept, the latest version is the current one, but you always have access to all versions if require.

Grant a permission

You can control the access to Azure Key Vaults separately to each group, granting permissions to a various set of operation on them. Below table presents what rights you may granted.

Key permissions Secret permissions Certificate permissions
Get Get Get
List List List
Update Set Update
Create Create
Import Import
Delete Delete Delete
Recover Recover Recover
Backup Backup Backup
Restore Restore Restore
Decrypt Manage contacts
Encrypt Manage Certificate Authorities
Unwrap key Get Certificate Authorities
Wrap key List Certificate Authorities
Verify Set Certificate Authorities
Sign Delete Certificate Authorities
Purge Purge Purge

In order to grant permission(s), select ‘Access policies’ from menu and you could see “Add new” button and list of objects being had permissions.

For instance, if you want to add the rights “Get” and “List” only for particular Azure Data Factory – simply check out two checkboxes in “Secret permissions” field and find an appropriate principal on the list (Select a principal). As you can see, the possibilities for granting rights go far beyond the standard “user” and “group”. You can grant permissions directly for applications or services created in Azure.

 icon-warning  Bear in mind, that (as usual) pairs “permission-object” are based on GUID rather than names. Thus, once you delete the object and create a new one even though the same name – permissions must be reassigned.

Reading the secrets

There are unlimited methods which allow you to read data from Key Vaults. Many (if not all) services and applications in Azure may get a password, connection string or token, including Azure Data Factory and Databricks. You can use any language (.NET, PowerShell, Python) you want to receive it.

In the following brief example – you can see how to read the secrets using PowerShell.

Import-Module AzureRM.KeyVault

$secret = Get-AzureKeyVaultSecret -VaultName 'kv-sqlplayer' -Name "abc-database-password"
Write-Host "Secret Value is:" $secret.SecretValueText

In the next posts, we will be using Key Vault very often.
Thanks & stay tuned.


Previous Last Week Reading (2019-01-06)
Next ASF 018 video invitation

About author

Kamil Nowinski
Kamil Nowinski 200 posts

Blogger, speaker. Data Platform MVP, MCSE. Senior Data Engineer & data geek. Member of Data Community Poland, co-organizer of SQLDay, Happy husband & father.

View all posts by this author →

You might also like

New blog, first post, big challenge!

Yeeaaahh! First post. First blog. I was waiting for it for at least 2 years. Yup, undoubtedly a “waiting” is the best definition for that. Waiting, because I was doing

General 0 Comments

Last week reading (2018-02-11)

Good day SQL folks! Thanks for visiting our blog again!  I have just come back after almost 2 weeks of vacations and here you are – fresh, good content for

General 0 Comments

NotFound Status Code when working with ADFv2 via AzureRM.DataFactoryV2 PowerShell module

Azure Data Factory V2 is a great good tool for processing big data. It’s very scalable, flexible and modern cloud data integration service. You can compose and manage reliable and secure


No Comments Yet!

You can be first to comment this post!

Leave a Reply