Azure Key Vault
Integrate Azure Key Vault with POB.
Last Updated: 26 May 2022 • Page Author: Jillur Quddus
Overview
Azure Key Vault is the native managed secrets management engine of the Azure cloud computing platform, enabling applications, services and IT resources to secure manage sensitive credentials, API keys and other secrets throughout their lifecycle. This page provides instructions on how to integrate Azure Key Vault with POB.
For further information regarding Azure Key Vault, please visit https://docs.microsoft.com/en-us/azure/key-vault/general/.
Setup
To provision an Azure Key Vault instance, visit the Key Vaults service via the Azure Portal, select "Create" and provide the required information including the desired Azure subscription and resource group to use, a custom name for the new Key Vault instance (for example myvault
), the region and pricing tier. Once created, navigate to the newly created Key Vault instance via the Azure Portal, select "Properties" and make a note of its Vault URI (of the format https://myvault.vault.azure.net
) and Directory ID / Tenant ID (similar to abcd1234-987a-1234-9b87-987654abcdef
).
Service Principal
Next we need to create a new service principal or identity (or use an existing service principal object) and grant it access to the newly created Key Vault instance, provisioned with relevant read and write privileges. To do this, install the Azure Command Line (Azure CLI) and execute the following commands:
Make a note of the appID
(client ID) and password
(client secret) returned when creating the new service principal object as these will be required when integrating POB with Azure Key Vault as described below.
Integration
Bootstrap Context
As described in Bootstrap Configuration, the configuration for the POB bootstrap context may be found in the pob-configuration
Maven module, at src/main/resources/bootstrap.yml
.
To integrate the POB Spring bootstrap context with Azure Key Vault, explicitly disable integration with HashiCorp Vault and AWS Secrets Manager before enabling integration with Azure Key Vault as follows:
The azure.keyvault configuration namespace includes the following properties that must be completed:
If you define placeholder variables in the application context which are not also defined in Azure Key Vault, then an exception will be thrown when attempting to start the relevant Spring Boot application.
For further information and properties related to loading externalised configuration from Azure Key Vault, please refer to https://docs.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault.
Application Context
As described in Application Configuration, the configuration for the POB application context may be found in the pob-configuration
Maven module, at src/main/resources/application.yml
.
As described above, assuming that the POB Spring bootstrap context has been integrated with Azure Key Vault, then all placeholder variables defined in the POB Spring application context MUST be defined as a secret managed by Azure Key Vault. For example, the following POB application configuration YAML file has been configured with placeholder variables (for example rdbms-jdbcUrl
) that will be loaded from Azure Key Vault:
All the placeholder variables defined in the example application configuration file above, for example ${slack-channel}
, ${slack-webhook}
, ${microsoft-teams-webhook}
, ${google-chat-webhook}
and ${rdbms-jdbcUrl}
(to highlight just a few), must also be defined as secrets managed by Azure Key Vault. This can be achieved via the Azure Portal as illustrated in the following screenshot:
Last updated