Configure Azure Key Vault Integration

Last modified on January 3, 2024

Azure Key Vault is a cloud service for securely storing and accessing secrets like API keys, passwords, certificates, and cryptographic keys. This guide will walk you through how to integrate Key Vault with StrongDM and use the secret store integration to connect to resources.

Secret store integrations allow you to use your existing third-party secret stores with StrongDM. Your credentials are stored in a service that is controlled by you, and those credentials are never transmitted to StrongDM in any form. If you would like to learn more about how the Secret Store integration works and why you might wish to use it, please read the Secret Stores Reference.

Prerequisites

Make sure you are an account administrator in StrongDM.

In your Microsoft Entra (formerly Azure AD) permissions, your account must have a role that’s allowed to manage the Key Vault and assign a managed identity to a VM.

In your Azure subscription, your account must have the Owner role or User Access Administrator role.

See Microsoft’s documentation for more information on requirements for Microsoft Entra (formerly Azure AD) permissions and Azure subscription permissions. Without proper permissions, you will not be able to create/register an application.

Steps

Set up Key Vault

Create a Key Vault in Azure

If you haven’t already established a Key Vault, create one now. If you already have one, skip to the next step, Update access policies.

  1. From either the Azure portal menu or the Home page, click Create a resource.
  2. Search for Key Vault, and from the search results list, select Key Vault.
  3. In the Key Vault section, click Create.
  4. Set the following Key Vault properties:
    • Name: Enter a unique name for the vault.
    • Subscription: Select a subscription.
    • Resource Group: Select Create new and enter a resource group name.
    • Location: Select a location from the pull-down menu.
    • Keep the other options at their defaults.
  5. Click Next: Access Policy.
  6. Select Azure role-based access control.
  7. Click Next: Networking and ensure that the networking is configured so that the Gateway/Relay can access the vault.
  8. Select Review + create, make sure it looks OK, and then click Create.
  9. Once the deployment is complete, select go to resource.
  10. Note your Vault Name and Vault URI (e.g., https://contoso-vault2.vault.azure.net/), which will be viewable after the application has been created on the Overview section of the Vault.

Set up access to Key Vault

There are several ways to authenticate with Azure Key Vault. One of these needs to be configured in order to allow your Gateway to authenticate with the Key Vault and retrieve credentials. In this configuration guide, you will use your VM’s Managed Identity.

  • Managed Identity (this is the method recommended by StrongDM)
  • Service Principal
  • App Registration

Create a StrongDM gateway in Azure

  1. Create an Ubuntu 20.03 Azure VM.
  2. Give the VM your SSH public key.
  3. Once the VM is created, install a Relay on the machine.

Enable the VM’s managed identity

  1. Select your new Azure VM in the Azure UI.
  2. In the sidebar, under Settings, select Identity.
  3. Toggle the system-assigned managed identity status to On and save.

Update Key Vault access policies

You need to update the Key Vault’s Access Control (IAM) to allow whatever Azure user(s) or group(s) you require, as well as allow access for the managed identity of the Gateway you just created. You can learn more about this in Azure’s Managed Identities documentation.

Configure the Secret Store with the Admin UI

Once you have Key Vault set up, credentials stored, and your relay server able to access said credentials, it’s time to integrate the secret store with StrongDM.

Add secret store

  1. In the StrongDM Admin UI, go to Network > Secret Stores.
  2. Click Add secret store.
  3. On the Add Secret Store form that displays, set:
Azure Key Vault Settings
Azure Key Vault Settings
  • Display Name: Enter a name for this secret store integration. This name will be displayed in the Admin UI.
  • Secret Store Type: Select Azure Key Vault.
  • Vault URI: Set the URI of your Key Vault (e.g., https://<VAULT_NAME>.vault.azure.net/).
  1. Click Create secret store.

If you’ve configured the Relay server correctly for secret store access and authorization, you will see the green online indicator.

Add a resource, grant access to it, and test the connection

Now, create a resource that uses the secret store, grant access to it, and verify that you can connect.

  1. In the Admin UI, add a new resource, such as a Server or Datasource, and choose the Azure Key Vault Secret Store type.
  2. Fill out the information for a resource whose credentials you have stored in your secret store.
Azure Key Vault Resource
Azure Key Vault Resource
  1. Select the Azure Key Vault secret store you created for the Secret Store field, and then fill in the path to the secrets that you’ve stored in your secret store.
  2. Submit the form.
  3. Grant access to the resource so that a User can use it.
  4. Log in as that User in your local GUI (or have the User do so, if not yours).
  5. Verify that the resource exists, test a connection, and execute a query.

Congratulations, you’ve connected to a resource using secret stores.