question

RafaelValente-3577 avatar image
0 Votes"
RafaelValente-3577 asked JamesTran-MSFT edited

Azure Key Vault secret confirmation

Hello.

So, i'm integrating Azure Key Vault with OutSystems to generate and rotate secrets that will be used to ensure secured communication between OutSystems applications and Microsoft services.
I followed this tutorial and i was able to get the secrets from Key Vault using OutSystems!
My question here is how the Microsoft services know that the secret i'm sending from the OutSystems applications is the valid secret inside the Key Vault?
Do Microsoft services need some kind of permissions to access Key Vault and get the current valid secret? Or is this secret comparation already automatized and i do not need to worry about this?

Thank you in advance.
Rafael Valente


azure-key-vault
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered JamesTran-MSFT edited

@RafaelValente-3577
Thank you for your detailed post!

My question here is how the Microsoft services know that the secret I'm sending from the OutSystems applications is the valid secret inside the Key Vault?

  • To confirm if the secret being used by a Microsoft Service is valid, this should be done with the Secret Identifier. However, in order to provide you with a better answer, can you share what Microsoft services (i.e. VMs, Storage Accounts, etc.) you're referring to, and how you're integrating OutSystems with them?


Do Microsoft services need some kind of permissions to access Key Vault and get the current valid secret? Or is this secret comparation already automatized and i do not need to worry about this?

  • Yes, the service you're using will need data plan permissions(access policies) to access the Key Vault. But depending on the service, it might be considered a Trusted service, and should be able to access the key vault to get the most current version.

  • If you're using an API, your Azure AD application will need to be added to the Key Vault access policies in order to get the current secret from the KV.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JamesTran-MSFT!

Thank you for your answer.
For now, i want to integrate with Azure Blob Storage. Therefore, i will need that this service knows which secret is the valid one and to have access to the Key Vault to compare with the secret that i am sending from OutSystems.
The integration with OutSystems is abstract for me because i'm just installing an OutSystems component already made by someone.

Regarding the permissions that Blob Storage will have to have, you said that i will have to add Blob Storage to the Key Vault permissions? Did i understood correctly?
Can you send me a link or some more data about this, please?

Thank you.

0 Votes 0 ·

@RafaelValente-3577
Thank you for the quick response on this!

When it comes integrating your Azure Storage Account with the Azure Key Vault, I'll share some documentation below. From the documentation, it looks like you'll be using the Azure PowerShell Set-AzKeyVaultAccessPolicy cmdlet to update the Key Vault access policy and grant storage account permissions to your user account.

Links:
Manage storage account keys with Key Vault and Azure PowerShell
Assign a Key Vault access policy
Azure Key Vault Access model overview

I hope this helps!


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

Hello @JamesTran-MSFT!

With the links you provided and the articles i found, i realized that for each Microsoft Service that needs to be integrated with Azure Key Vault there are some differences in the way, mainly because of the different Services characteristics.
Specifically about the integration of Storage with Key Vault, i confused myself in understading that the Storage service is actualy Azure Blob Storage.
But actually, the tutorial that i followed to integrate already contemplated the linking between Storage and Key Vault.

Thank you for your help and time.


0 Votes 0 ·
Show more comments