locked
On-prem Application authentication against Key Vault RRS feed

  • Question

  • I have an on-prem application that i would like to integrate with Key vault to store the application secrets. Upon analyzing the solutions, i find the following ways to authenticate against Azure AD and the recommended way is to use Managed Identities.

    https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts#authentication

    However, i find that Managed Identity Authentication is not an option for applications deployed in on-prem application. Can anyone please clarify? 
    If its possible, can you please direct me with documentation or sample?

    I really appreciate the help, thank you!
    Sunday, May 3, 2020 2:14 AM

Answers

  • Yes, that is correct, you cannot use managed identities for on-premises applications.  Managed identities are available for Azure resources as it is a feature of Azure AD and here is the list of resources currently supported for managed identities. For you on-premises applications you need to create a Service Principal and then assign that service principal access to Azure Key Vault using access control policy.  Please refer to this documentation for assign permissions to key vault using Access control policy.
    Monday, May 4, 2020 11:24 PM

All replies

  • Yes, that is correct, you cannot use managed identities for on-premises applications.  Managed identities are available for Azure resources as it is a feature of Azure AD and here is the list of resources currently supported for managed identities. For you on-premises applications you need to create a Service Principal and then assign that service principal access to Azure Key Vault using access control policy.  Please refer to this documentation for assign permissions to key vault using Access control policy.
    Monday, May 4, 2020 11:24 PM
  • Thank you Saurabh for the clarification.

    As you suggested in the referenced links above, I shall do the below steps to authenticate against Azure AD and get access to Key Vault.

    1. Register the on-prem application in Azure App Registration to get client Id, tenant id and secret.
    2. Grant API Permission to Azure Key Vault Service.(Service Principals?) under the App registrations.
    3. Add Access Policy to grant key/secret/certificate permissions in the respective Key Vault Resource(Example - abcd-key-vault)
    4. Retrieve access token using MSAL Library using above client ID/tenant id and secret to authenticate the on-prem application.
    5. Access 'abcd-key-vault' key vault resource using Azure Key Vault Rest API Services through the step 4 access token from the on-prem application

    Please correct me on the steps above if otherwise. thank you for the guidance and really appreciate it.

    Tuesday, May 5, 2020 12:00 AM
  • Yes, that is correct.

    Please let me know if you find above reply useful. If yes, do click on 'Mark as answer' link in above reply. This will help other community members facing similar query to refer to this solution. Thanks.

    Tuesday, May 5, 2020 12:05 AM