azureazure-authenticationazure-management

Azure Service Principal - How to secure the keys


For an Azure Service Principal, we have below keys in config file

<add key="SubscriptionId" value="" />
<add key="ClientId" value="" />
<add key="ClientSecret" value="" />
<add key="TenantId" value="" />

Is there any azure key vault like service available, where we can securely keep these keys and use it based on demand?


Solution

  • The client secret is more important than the rest, which needs to be secure. Unfortunately, it is the gateway to call to your KeyVault even if you store it to KeyVault. There is not the only way to authenticate Azure AD with client secret. Instead of client secret, you can use your certificate when creating a key. Uploading that certificate will give you a thumbprint. You then need to upload your private key (aka PEM or PFX) somewhere in Azure, commonly in application or Azure App Service (ref https://learn.microsoft.com/en-us/azure/app-service/app-service-web-ssl-cert-load). Your application code just needs to read through the certificate (of course you need to set password for your certificate) and if thumbprint is matched, you are authorized by Azure AD.

    Other sensitive information such as storage access key, database connection string, Redis cache key, VM password or your corporate certificate can be stored in KeyVault.

    If you don't like the complex process to get access token, have a look at Managed Service Identity which lets an Azure service become a service principal itself. There is not a need for client app registration and client secret. MSI is currently in preview stage and available to some services.