I would like to use azure key vault to send keys to a non-azure vm?, I need this to work in automation with no manual steps

redspy 1 Reputation point
2020-07-10T16:42:04.327+00:00

I would like to use azure key vault to send keys to a non-azure vm, I need to deploy multiple vm's in an automation environment and during the deployment/infrastructure, I need to bootstrap these VM's to azure key vault to get certificates and keys on these VMs. How can I authenticate them to Azure Key Vault in automation?

Our infrastructure is just a mix of different cloud platforms and local servers, I really need to deploy vm's cross-platform in automation for testing and I need the Azure Key Vault access to be automate-able to these vm's. The VM's I am deploying are windows or linux based. Having trouble finding the information I'm looking for. I was thinking a provider like terraform might help

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,135 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 34,306 Reputation points Microsoft Employee
    2020-08-04T21:16:19.737+00:00

    Hi @e37c27bb-72ed-40f5-9768-79a13c83f7a2,

    You can definitely use Key Vault with non-Azure VMs. (I'm not sure what type of VM you are referring to, so the instructions may vary based on that.)

    The sample Use Application ID and X.509 certificate for non-Azure-hosted apps shows how to authenticate to a key vault when the app is hosted outside of Azure.

    This Stack Overflow post also gives a great description of how you can use Azure Key Vault to secure keys for app running in AWS: 

    //sample pseudocode for accessing Key Vault  

//extend KeyVaultCredentials class and override doAuthenticate method.    
  
// create a configuration object   
  
Configuration config = KeyVaultConfiguration.configure(null, keyVaultCredentials);  
KeyVaultClient myclient = KeyVaultClientService.create(config);  
  
//encrypt  
myclient.encryptAsync(...)  
  
//decrypt  
myclient.decryptAsync(...)

    Azure KeyVault has client libraries you can use to interact with KeyVault from your application. You should be able to access the Key Vault services from anywhere if you have valid credentials. For instance, there are the client libraries to interact with KeyVault Secrets in .NET, Java, Python and TypeScript. https://learn.microsoft.com/en-us/azure/key-vault/general/developers-guide

    Here is how you can retrieve a secret from KeyVault using .NET:

    // Environment variable with the Key Vault endpoint.
    string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL");

    // create the client to interact with the service
    var client = new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential());

    KeyVaultSecret secretWithValue = await client.GetSecretAsync("mySecret");
    Console.WriteLine(secretWithValut.Value);