Quickstart: Load application secrets using Key Vault

Article
12/15/2022
7 minutes to read

Note

Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.

This article applies to: ❌ Basic/Standard tier ✔️ Enterprise tier

This quickstart shows you how to securely load secrets using Azure Key Vault for apps running Azure Spring Apps Enterprise tier.

Every application has properties that connect it to its environment and supporting services. These services include resources like databases, logging and monitoring tools, messaging platforms, and so on. Each resource requires a way to locate and access it, often in the form of URLs and credentials. This information is often protected by law, and must be kept secret in order to protect customer data. In Azure Spring Apps, you can configure applications to directly load these secrets into memory from Key Vault by using managed identities and Azure role-based access control.

Prerequisites

An Azure account with an active subscription. Create an account for free.
A license for Azure Spring Apps Enterprise tier. For more information, see View Azure Spring Apps Enterprise tier Offer in Azure Marketplace.
The Azure CLI version 2.0.67 or higher.
Git.
jq
The Azure Spring Apps Enterprise tier extension (3.0.0 or later). Use the following command to remove previous versions and install the latest Enterprise tier extension. If you previously installed the spring-cloud extension, uninstall it to avoid configuration and version mismatches.
```
az extension remove --name spring
az extension add --name spring
az extension remove --name spring-cloud
```
Complete the steps in the following quickstarts:
- Build and deploy apps to Azure Spring Apps using the Enterprise tier.
- Integrate with Azure Database for PostgreSQL and Azure Cache for Redis

Provision Key Vault and store secrets

The following instructions describe how to create a Key Vault and securely save application secrets.

Use the following command to create a Key Vault to store application secrets:

az keyvault create \
    --resource-group <resource-group-name> \
    --name <key-vault-name>

Use the following command to store the full database server name in Key Vault:

az keyvault secret set \
    --vault-name <key-vault-name> \
    --name "POSTGRES-SERVER-NAME" \
    --value "<postgres-server-name>.postgres.database.azure.com"

Use the following command to store the database name in Key Vault for the Catalog Service application:

az keyvault secret set \
    --vault-name <key-vault-name> \
    --name "CATALOG-DATABASE-NAME" \
    --value "acmefit_catalog"

Use the following commands to store the database login credentials in Key Vault:

az keyvault secret set \
    --vault-name <key-vault-name> \
    --name "POSTGRES-LOGIN-NAME" \
    --value "<postgres-username>"

az keyvault secret set \
    --vault-name <key-vault-name> \
    --name "POSTGRES-LOGIN-PASSWORD" \
    --value "<postgres-password>"

Use the following command to store the database connection string in Key Vault for the Order Service application:

az keyvault secret set \
    --vault-name <key-vault-name> \
    --name "ConnectionStrings--OrderContext" \
    --value "Server=<postgres-server-name>;Database=acmefit_order;Port=5432;Ssl Mode=Require;User Id=<postgres-user>;Password=<postgres-password>;"

Use the following commands to retrieve Redis connection properties and store them in Key Vault:

REDIS_HOST=$(az redis show \
    --resource-group <resource-group-name> \
    --name <redis-cache-name> | jq -r '.hostName')

REDIS_PORT=$(az redis show \
    --resource-group <resource-group-name> \
    --name <redis-cache-name> | jq -r '.sslPort')

REDIS_PRIMARY_KEY=$(az redis list-keys \
    --resource-group <resource-group-name> \
    --name <redis-cache-name> | jq -r '.primaryKey')

az keyvault secret set \
    --vault-name <key-vault-name> \
    --name "CART-REDIS-CONNECTION-STRING" \
    --value "rediss://:${REDIS_PRIMARY_KEY}@${REDIS_HOST}:${REDIS_PORT}/0"

If you've configured single sign-on, use the following command to store the JSON Web Key (JWK) URI in Key Vault:

az keyvault secret set \
    --vault-name <key-vault-name> \
    --name "SSO-PROVIDER-JWK-URI" \
    --value <jwk-uri>

Grant applications access to secrets in Key Vault

The following instructions describe how to grant access to Key Vault secrets to applications deployed to Azure Spring Apps Enterprise tier.

Use the following command to enable a System Assigned Identity for the Cart Service application:

az spring app identity assign \
    --resource-group <resource-group-name> \
    --name cart-service \
    --service <Azure-Spring-Apps-service-instance-name>

Use the following commands to set an access policy of get list on Key Vault for the Cart Service application:

CART_SERVICE_APP_IDENTITY=$(az spring app show \
    --resource-group <resource-group-name> \
    --name cart-service \
    --service <Azure-Spring-Apps-service-instance-name> | jq -r '.identity.principalId')

az keyvault set-policy \
    --name <key-vault-name> \
    --object-id ${CART_SERVICE_APP_IDENTITY} \
    --secret-permissions get list

Use the following command to enable a System Assigned Identity for the Order Service application:

az spring app identity assign \
    --resource-group <resource-group-name> \
    --name order-service \
    --service <Azure-Spring-Apps-service-instance-name>

Use the following commands to set an access policy of get list on Key Vault for the Order Service application:

ORDER_SERVICE_APP_IDENTITY=$(az spring app show \
    --resource-group <resource-group-name> \
    --name order-service \
    --service <Azure-Spring-Apps-service-instance-name> | jq -r '.identity.principalId')

az keyvault set-policy \
    --name <key-vault-name> \
    --object-id ${ORDER_SERVICE_APP_IDENTITY} \
    --secret-permissions get list

Use the following command to enable a System Assigned Identity for the Catalog Service application:

az spring app identity assign \
    --resource-group <resource-group-name> \
    --name catalog-service \
    --service <Azure-Spring-Apps-service-instance-name>

Use the following commands to set an access policy of get list on Key Vault for the Catalog Service application:

CATALOG_SERVICE_APP_IDENTITY=$(az spring app show \
    --resource-group <resource-group-name> \
    --name catalog-service \
    --service <Azure-Spring-Apps-service-instance-name> | jq -r '.identity.principalId')

az keyvault set-policy \
    --name <key-vault-name> \
    --object-id ${CATALOG_SERVICE_APP_IDENTITY} \
    --secret-permissions get list

If you've configured single sign-on, use the following command to enable a System Assigned Identity for the Identity Service application:

az spring app identity assign \
    --resource-group <resource-group-name> \
    --name identity-service \
    --service <Azure-Spring-Apps-service-instance-name>

Use the following commands to set an access policy of get list on Key Vault for the Identity Service application:

IDENTITY_SERVICE_APP_IDENTITY=$(az spring app show \
    --resource-group <resource-group-name> \
    --name identity-service \
    --service <Azure-Spring-Apps-service-instance-name> | jq -r '.identity.principalId')

az keyvault set-policy \
    --name <key-vault-name> \
    --object-id ${IDENTITY_SERVICE_APP_IDENTITY} \
    --secret-permissions get list

Update applications to load Key Vault secrets

After granting access to read secrets from Key Vault, use the following steps to update the applications to use the new secret values in their configurations.

Use the following command to retrieve the URI for Key Vault to be used in updating applications:
```
KEYVAULT_URI=$(az keyvault show --name <key-vault-name> | jq -r '.properties.vaultUri')
```

Use the following command to retrieve the URL for Spring Cloud Gateway to be used in updating applications:

GATEWAY_URL=$(az spring gateway show \
    --resource-group <resource-group-name> \
    --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url')

Use the following command to remove the Service Connector binding the Order Service application and the Azure Database for PostgreSQL Flexible Server:

az spring connection delete \
    --resource-group <resource-group-name> \
    --app order-service \
    --connection order_service_db \
    --service <Azure-Spring-Apps-service-instance-name> \
    --deployment default \
    --yes

Use the following command to update the Order Service environment with the URI to access Key Vault:

az spring app update \
    --resource-group <resource-group-name> \
    --name order-service \
    --service <Azure-Spring-Apps-service-instance-name> \
    --env "ConnectionStrings__KeyVaultUri=${KEYVAULT_URI}" "AcmeServiceSettings__AuthUrl=https://${GATEWAY_URL}" "DatabaseProvider=Postgres"

Use the following command to remove the Service Connector binding the Catalog Service application and the Azure Database for PostgreSQL Flexible Server:

az spring connection delete \
    --resource-group <resource-group-name> \
    --app catalog-service \
    --connection catalog_service_db \
    --service <Azure-Spring-Apps-service-instance-name> \
    --deployment default \
    --yes

Use the following command to update the Catalog Service environment and configuration pattern to access Key Vault:

az spring app update \
    --resource-group <resource-group-name> \
    --name catalog-service \
    --service <Azure-Spring-Apps-service-instance-name> \
    --config-file-pattern catalog/default,catalog/key-vault \
    --env "SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTY_SOURCES_0_ENDPOINT=${KEYVAULT_URI}" "SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTY_SOURCES_0_NAME='acme-fitness-store-vault'" "SPRING_PROFILES_ACTIVE=default,key-vault"

Use the following command to remove the Service Connector binding the Cart Service application and the Azure Cache for Redis:

az spring connection delete \
    --resource-group <resource-group-name> \
    --app cart-service \
    --connection cart_service_cache \
    --service <Azure-Spring-Apps-service-instance-name> \
    --deployment default \
    --yes

Use the following command to update the Cart Service environment to access Key Vault:

az spring app update \
    --resource-group <resource-group-name> \
    --name cart-service \
    --service <Azure-Spring-Apps-service-instance-name> \
    --env "CART_PORT=8080" "KEYVAULT_URI=${KEYVAULT_URI}" "AUTH_URL=https://${GATEWAY_URL}"

Use the following command to update the Identity Service environment and configuration pattern to access Key Vault:

az spring app update \
    --resource-group <resource-group-name> \
    --name identity-service \
    --service <Azure-Spring-Apps-service-instance-name> \
    --config-file-pattern identity/default,identity /key-vault \
    --env "SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTY_SOURCES_0_ENDPOINT=${KEYVAULT_URI}" "SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTY_SOURCES_0_NAME='acme-fitness-store-vault'" "SPRING_PROFILES_ACTIVE=default,key-vault"

Use the following commands to retrieve the URL for Spring Cloud Gateway:

GATEWAY_URL=$(az spring gateway show \
    --resource-group <resource-group-name> \
    --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url')

echo "https://${GATEWAY_URL}"

You can open the output URL in a browser to explore the updated application.

Clean up resources

If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands:

echo "Enter the Resource Group name:" &&
read resourceGroupName &&
az group delete --name $resourceGroupName &&
echo "Press [ENTER] to continue ..."

Next steps

Continue on to any of the following optional quickstarts: