Applications and Azure resources authenticate to Key Vault to retrieve the secrets. The best authentication method for Azure services is to use a managed identity because it allows Azure services to authenticate to Key Vault or any service that supports Azure AD authentication, without having to include credentials in your code. With Azure Key Vault, applications never have direct access to keys.
Administrators can monitor and audit key use with Azure logging.
Key vault allows the separation of security maintenance from application development. For example, Key Vault secrets can be used to store connection strings for various resources accessed by ADF. Those connection strings can be updated by Administrators without affecting the ADF pipelines or having to send the new passwords out to developers.
It only takes a minute or two to create a Key Vault. In the Azure Portal, click on the Create a Resource, search for Key Vault, then click create.
Next, provide a name for the Key Vault, select subscription, resource group and location. Finally, select pricing tier. Refer to https://azure.microsoft.com/en-us/pricing/details/key-vault/ for details on current pricing. Most users will select standard tier unless their security policy requires the premium features.
Once the key vault has been created keys, secrets, and certificates may be imported or manually created.
To create a secret, click on "Secrets", then Generate/Import.
This will open the "create a secret" dialog. Choose a name for the secret, such as dev-Adventureworks-Connection for the connection string for Adventureworks database in Development environment. Enter the full connection string in the Value field, write a brief description of the secret in the content type box and click "Create" to complete the creation process.
Once you have created your key vault and some secrets or keys, they may be used in any Azure resource which has been granted access to the Azure Key Vault. That will be covered in another post.
No comments:
Post a Comment