Azure Key Vault
Prerequisites
First, NETWRIX recommends reading:
- Azure Key Vault's overview documentation and Basic concepts;
- how to sign in to Azure and create a vault;
- about Azure Key Vault's secrets because secrets are the data that Usercube needs to collect.
Compatible Settings
Every key from
appsettings.agent.json
that has a string value can be saved as a secret into Azure Key Vault.
See examples in connectors' credential protection sections.
Write Settings to the Vault
After creating the Azure Key Vault, open its page on Azure's portal and add a secret.
The important part of adding a secret in Azure Key Vault is defining its name and value:
- as secrets' names can only contain alphanumeric characters and double dashes (
--
) as separator, the keys from theappsettings.agent.json
file must contain only alphanumeric characters too; - secrets' values are simply the value associated with the key in the JSON file.
For example, for the Active Directory:
appsettings.agent.json { ... "Connections": { ... "ADExport": { "Servers": [ > { > "Server": >
"paris.contoso.com", > "BaseDN": "DC=paris,DC=com" > }, > { > "Server": "marseille.contoso.com", >
> "BaseDN": "DC=defense,DC=marseille,DC=com" > } > ], "AuthType": "Basic", "Login": "login123",
> "Password": "password123", "Filter": "(objectclass=\*)", "EnableSSL": "false", } } }To save the login to Azure Key Vault, create a secret whose name and value are respectively
Connections--ADExport--Login
andlogin123
.To save the second server, create a secret whose name and value are respectively
Connections--ADExport--Servers--1--Server
andmarseille.contoso.com
. Note that the index of the first element is0
.
This way, values from the Azure Key Vault take priority over the values from the appsettings files.
For example, if
Login
exists in both Azure Key Vault andappsettings.agent.json
, then the value from Azure Key Vault is used.
Configure Usercube
Connect Usercube to Azure Key Vault by adding to the agent's appsettings.json
file a specific
section.
For example:
appsettings.json
{ ... "AzureKeyVault": { "Vault" : "https://identitymanagerkeyvault.vault.azure.net/",
"ConnectionString":
"RunAs=App;AppId={dcb9b3a4-159c-45d8-93d5-8d6d677de4a7};TenantId={7a06f56c-47a8-469b-b0c0-089ec0666bd1};AppKey={Ju4m3BWA_U~s9XVlI_btgydJ8w5wY.iD.L}"
} }
Name | Details |
---|---|
Vault required | Type String Description DNS Name found on the page of the vault in Azure's portal. Info: usually in the format https://yourVault.vault.azure.net/ . |
ConnectionString default value: null | Type String Description Identification token used to retrieve the various connection keys found in the Azure Key Vault. It concatenates a series of options defining the authentication to Azure Key Vault. null - the connection is established with the current user. Warning: this user must be connected to the Microsoft Entra ID (formerly Microsoft Azure AD) instance and to the correct tenant. Otherwise, Usercube gets the token from Microsoft Entra ID via: RunAs=App - a managed identity. Warning: connecting via a managed identity must be enabled on Azure's App Service. RunAs=App; AppId={ClientId of user-assigned identity} - a user-assigned identity. RunAs=App; AppId={TestAppId};KeyVaultCertificateSecretIdentifier={KeyVaultCertificateSecretIdentifier} - the application and a certificate's secret, for custom services authentication. RunAs=App; AppId={AppId};TenantId={TenantId};CertificateThumbprint={Thumbprint};CertificateStoreLocation={LocalMachine or CurrentUser} - a certificate with a thumbprint on TenantId. RunAs=App;AppId={AppId};TenantId={TenantId}; CertificateSubjectName={Subject}; CertificateStoreLocation={LocalMachine or CurrentUser} - a certificate with a DN on TenantId. RunAs=App;AppId={AppId};TenantId={TenantId}; AppKey={ClientSecret} - a secret. |