The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Key Vault!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Accessing secrets from a central key vault for a marketplace app RRS feed

  • Question

  • Hi,

    I have an ARM deployment that creates a VM, and on startup that VM runs a script that I want to be able to send email. Some Azure subscriptions (Dev & CSP for example) disable all SMTP network access, so I can't use standard SMTP mechanisms and therefore I need to use a web based email system. However I need to provide the access credentials to the email system inside the deployment, and of course I don't want to hard code the credentials either in the ARM template or in the base VM image. The obvious solution is to use an Azure Key vault to hold the credentials and retrieve them from there, however since the solution is on Marketplace, the tenant creating the VM will be different from my tenant where the Key Vault exists. 

    How can I provide secure access to my key vault so that the ARM deployment or the script running inside the VM can access secrets without making those secrets available for anyone to access? I looked at VM managed identities, but they get created inside the Azure AD of the tenant creating the resource, so I couldn't secure against those, and I obviously don't want to hard code access credentials to my key vault in the ARM template as that obviates the use of a key vault in the first place.

    Any ideas gratefully received.

    Thanks

    Mark.

    Tuesday, July 16, 2019 12:54 PM

Answers

  • Hi Mark, 

    Key vault uses Access policies to control access to the key vault. In order to assign access policy, you need an identity in the tenant where the resource is located. (In this scenario your KV) So, the VM in your client's tenant will not be able to access your KV. 

    So, you would have to use or create a user account in your client's tenant and invite that account as a guest user to your tenant. This will solve the identity problem and you can give this user access to the KV. Now, you can save this user creds in a key vault in the client's tenant directly and give your VM the access to retrieve this user creds (using managed identity). 

    The flow will look something like this

    1) Select/create a user in clients tenant and invite the user to your tenant.

    2) Assign an access policy to this user to access SMTP access creds stored in your KV.

    3) Save this user creds in a key vault in clients tenant.

    4) Create a VM and enable system managed identity.

    5) Give this VM access to the KV in client's tenant 

    6) Your script runs > Gets the user creds from KV > Get a token for your tenant using this creds > use this token to retrieve the SMTP access creds.

    I know this is not an ideal solution but this should work. Hope this helps.

    Wednesday, July 17, 2019 11:54 AM
    Moderator

All replies

  • Hi Mark, 

    Key vault uses Access policies to control access to the key vault. In order to assign access policy, you need an identity in the tenant where the resource is located. (In this scenario your KV) So, the VM in your client's tenant will not be able to access your KV. 

    So, you would have to use or create a user account in your client's tenant and invite that account as a guest user to your tenant. This will solve the identity problem and you can give this user access to the KV. Now, you can save this user creds in a key vault in the client's tenant directly and give your VM the access to retrieve this user creds (using managed identity). 

    The flow will look something like this

    1) Select/create a user in clients tenant and invite the user to your tenant.

    2) Assign an access policy to this user to access SMTP access creds stored in your KV.

    3) Save this user creds in a key vault in clients tenant.

    4) Create a VM and enable system managed identity.

    5) Give this VM access to the KV in client's tenant 

    6) Your script runs > Gets the user creds from KV > Get a token for your tenant using this creds > use this token to retrieve the SMTP access creds.

    I know this is not an ideal solution but this should work. Hope this helps.

    Wednesday, July 17, 2019 11:54 AM
    Moderator
  • Hi,

    Thanks for the feedback. I'd hoped there could be a way of automating this as part of the Marketplace ARM Template Deployment - I can create a Key Vault and secrets as part of the deployment, but I can't automatically grant that access to my KV.

    I guess I'll just have to hard code things into my ARM template instead :-(

    Thanks,

    Mark.

    Monday, July 22, 2019 1:21 PM
  • I'm following up on this, please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions. Thanks
    Friday, July 26, 2019 10:52 PM
    Moderator
  • Since the solution has been resolved, would it be fine to go ahead and mark Manoj's answer as answer? Or do you have anymore questions within the scope of this thread? 
    Tuesday, July 30, 2019 11:32 PM
    Moderator