@JamesTran-MSFT ,
Thank you for the clear detailed explanation. I was able to resolve my concern now.
Connect to Azure Key-Vault with Key
Hi Team,
Can we connect to Azure Key-Vault using Keys, if Yes, Could you please share any articles or info regarding the same.
I could see articles on connecting to Azure Key-Vault using azure_client_id etc., like below
https://learn.microsoft.com/en-us/python/api/overview/azure/keyvault-secrets-readme?view=azure-python.
Is it like to connect to key-vault, we need to use service principal, AD, app and need AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_TENANT_ID?
Thank you in Advance
-
Samrat 136 Reputation points
2021-01-19T14:27:04.967+00:00
1 additional answer
Sort by: Most helpful
-
JamesTran-MSFT 36,636 Reputation points Microsoft Employee
2021-01-15T00:41:59.807+00:00 @Samrat
Thank you for your post!You're correct, when you want to call the Azure Key Vault (AKV) i.e. via REST API or app, you'll need to use a Service Principle, app registration, or user with correct RBAC/access policy permissions to that AKV. You can then generate a call to the AKV by presenting a client ID and secret or a client certificate.
The Key Vault authentication flow:
1.A service principal requests to authenticate with Azure AD, for example:
- A user logs into the Azure portal using a username and password.
- An application invokes an Azure REST API, presenting a client ID and secret or a client certificate.
- An Azure resource such as a virtual machine with a managed identity contacts the Azure Instance Metadata Service (IMDS) REST endpoint to get an access token.
2.If authentication with Azure AD is successful, the service principal is granted an OAuth token.
3.The service principal makes a call to the Key Vault REST API through the Key Vault's endpoint (URI).
4.Key Vault Firewall checks the following criteria. If any criterion is met, the call is allowed. Otherwise the call is blocked and a forbidden response is returned.- The firewall is disabled and the public endpoint of Key Vault is reachable from the public internet.
- The caller is a Key Vault Trusted Service, allowing it to bypass the firewall.
- The caller is listed in the firewall by IP address, virtual network, or service endpoint.
- The caller can reach Key Vault over a configured private link connection.
5.If the firewall allows the call, Key Vault calls Azure AD to validate the service principal’s access token.
6.Key Vault checks if the service principal has the necessary access policy for the requested operation. If not, Key Vault returns a forbidden response.
7.Key Vault carries out the requested operation and returns the result.If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.