Beta

AZ-400: Designing and Implementing Microsoft DevOps Solutions

Design and Implement a Strategy for Managing Sensitive Information in Automation

Implement and manage secrets keys and certificates by using Azure Key Vault

Azure Key Vault is a centralized solution for securely storing and managing secrets, cryptographic keys, and certificates in Azure. It helps enforce access policies, integrate with DevOps workflows, and maintain compliance with regulatory standards.

Table of Contents

  1. Overview
  2. Core Features
  3. Managing Secrets
  4. Managing Cryptographic Keys
  5. Managing Certificates
  6. Authentication and Authorization
  7. Access Policies
  8. Monitoring and Logging
  9. DevOps and CI/CD Integration
  10. Automation
  11. Best Practices
  12. Demo: Creating and Managing Secrets
  13. References

Overview

Azure Key Vault streamlines security operations by centralizing storage for secrets, keys, and certificates. It offers:

  • Secure secret, key, and certificate storage
  • Hardware Security Module (HSM) protection
  • Role-Based Access Control (RBAC) with Azure Active Directory
  • Comprehensive logging via Azure Monitor and Azure Security Center
  • Automated key rotation and certificate renewal

The image is a diagram explaining Azure Key Vault, highlighting its role in securely storing secrets, keys, and certificates, with a focus on security for API keys, passwords, connection strings, data protection, and cryptographic operations.

The image is an illustration about Azure Key Vault, highlighting its role in simplifying key management processes and reducing the risk of data breaches.

The image is an illustration about Azure Key Vault, highlighting its role in simplifying key management processes and integrating with Azure and DevOps tools to enhance security.

Core Features

Secure Storage and Management

Azure Key Vault uses certified Hardware Security Modules (HSMs) to protect your data.

Note

Choose the Standard or Premium tier to leverage HSM-backed key protection.

The image illustrates a key feature of Azure Key Vault, highlighting its use of Hardware Security Modules (HSMs) for secure storage and management.

Access Control

Integrate with Azure Active Directory to apply RBAC, granting least-privilege access to secrets, keys, and certificates.

Logging and Monitoring

Stream diagnostic logs to Azure Monitor and Security Center to audit every operation and maintain compliance.

The image outlines key features of Azure Key Vault, focusing on logging and monitoring through Azure Monitor and Azure Security Center to maintain visibility and compliance.

Managing Secrets

Secrets include API keys, passwords, and connection strings needed at runtime.

The image is an infographic titled "Understanding Secrets," illustrating types of sensitive information: passwords, API keys, and connection strings.

Common Use Cases

ScenarioDescription
Database connection stringsSecure credentials for web apps
API keys for external servicesProtect third-party service tokens
Application configuration parametersSecure feature flags and configuration values

Create a Secret

You can use the Azure Portal, CLI, or SDKs.

The image shows a form for creating a secret with fields for name, secret value, and optional settings, alongside options for using Azure Portal, Azure CLI, and Azure SDKs.

Azure CLI example:

az keyvault secret set \
  --vault-name MyKeyVault \
  --name "api-token" \
  --value "mySecretValue"

Retrieve a Secret

az keyvault secret show \
  --vault-name MyKeyVault \
  --name "api-token"

Secret Versioning

Azure Key Vault retains previous versions, supporting rotation and rollback.

The image is a screenshot of a secret management interface showing versioning for a "login-password," with options for creating new versions, refreshing, deleting, and downloading backups. It highlights the ability to manage secret rotations and rollbacks.

Managing Cryptographic Keys

Support for RSA and Elliptic Curve keys enables encryption, decryption, signing, and verification.

The image is a guide on generating and importing keys in Azure Key Vault, showing a form for creating a key with various options and a note about imported keys meeting security standards.

Generate a Key (Azure CLI)

az keyvault key create \
  --vault-name MyKeyVault \
  --name "myRSAKey" \
  --kty RSA \
  --size 2048

Key Rotation and Expiration

Automate rotation to minimize risk by defining policies.

The image illustrates the concept of key rotation and expiration, featuring a circular diagram with sections labeled "Rotation schedules" and "Expiration dates," and a header about automatic key rotation policies.

az keyvault key rotation-policy update \
  --vault-name MyKeyVault \
  --name "myRSAKey" \
  --expires "P90D" \
  --lifetime-actions "[{'trigger':{'lifetimePercentage':85},'action':{'type':'Rotate'}}]"

Managing Certificates

Azure Key Vault handles SSL/TLS, client authentication, and code-signing certificates.

The image illustrates three types of certificates: SSL for securing web traffic, a certificate for authenticating users and devices, and a certificate for verifying the integrity of software.

Certificate lifecycle: issuance, renewal, and revocation.

The image illustrates the stages of Certificate Lifecycle Management: Issuance, Renewal, and Revocation. It mentions that Azure Key Vault simplifies these processes.

Automatic renewal prevents disruptions by integrating with certificate authorities.

Authentication and Authorization

Azure Active Directory manages authentication, while RBAC defines authorization for vault objects.

The image illustrates the relationship between Azure Active Directory (AAD) for authentication and Role-Based Access Control (RBAC) for authorization, explaining how RBAC assigns roles to users, groups, and applications.

Common roles: Owner, Contributor, Reader.

Access Policies

Fine-grained permissions can be assigned for secrets, keys, and certificates via portal, CLI, or PowerShell.

The image shows a user interface for creating an access policy, with options to configure key, secret, and certificate permissions. It includes checkboxes for various management operations like get, list, update, and delete.

Monitoring and Logging

Enable diagnostic logging to capture vault operations and feed them into Azure Monitor for alerts and dashboards.

The image shows a screenshot of Azure Key Vault's diagnostic settings interface, highlighting options for configuring diagnostic logs for detailed operation tracking.

DevOps and CI/CD Integration

Retrieve secrets dynamically in build and release pipelines. Azure DevOps, GitHub Actions, and Jenkins all support Key Vault integration.

The image is about integrating secrets management in CI/CD pipelines, focusing on API keys and connection strings, and emphasizes secure management throughout the development lifecycle.

The image is about integrating DevOps workflows, focusing on secrets management in CI/CD pipelines, featuring Azure DevOps, GitHub Actions, and Jenkins.

Applications authenticate to Key Vault using managed identities or service principals.

The image illustrates the integration of DevOps workflows, showing how applications securely access stored secrets using Azure Key Vault.

Automation

Automate routine tasks—rotation, renewal, and policy updates—using Azure Automation, Logic Apps, or PowerShell.

The image is a slide titled "Integrating With DevOps Workflows," focusing on automating key and certificate management using Azure Automation, Logic Apps, and PowerShell Scripts.

Best Practices

The image outlines best practices for security, including the least privilege principle, regularly reviewing and rotating secrets, and using managed identities for Azure resources.

  • Apply the principle of least privilege.
  • Regularly review and update access policies.
  • Rotate secrets, keys, and certificates on a schedule.
  • Use managed identities to avoid credential leaks.

Warning

Deleting a Key Vault or disabling critical secrets is irreversible. Always back up before removal and test in a non-production environment.

Demo: Creating and Managing Secrets

  1. In the Azure Portal, go to your Key Vault and select Secrets.
  2. Click Generate/Import, provide a name and value, then click Create.
  3. To view or rotate, select the secret and choose New Version.

The image shows a demo interface for creating and managing secrets in a key vault, with options like generating/importing secrets and managing deleted ones. It lists two secrets, "api-token" and "login-password," both enabled.

References

Watch Video

Watch video content

Previous
Introduction
Next
Implement and manage secrets in GitHub Actions and Azure Pipelines