Azure Key Vault

Azure Key Vault stores secrets that can be retrieved by virtual machines and containers running in Azure to manage dynamic application configuration. When you integrate CloudTruth with your Azure Account, CloudTruth will exist in your Azure Active Directory as an Enterprise Application, and will show up in the list of service principals that you can assign access rights to.

Prerequisites

• An Azure account. If you don't have one, you can sign up for a free trial .

• A Microsoft business email account. For registering Azure to CloudTruth, a personal Outlook email account will not work.

Registering the CloudTruth Application

When you add an Azure Key Vault integration, the CloudTruth application will be registered into your Azure account. CloudTruth does not create any additional resources in your Azure account, and CloudTruth cannot access any resources unless you explicitly grant that access using Azure IAM. This application registration can added only with your consent. To initiate that consent, add an Azure Key Vault integration (in this example, we'll add one to the "Tuono" organization):

After you authenticate with Azure you will be presented with a consent form to register the CloudTruth application in your Azure account:

Please note that at the time of writing this, you must use an Office 365 business account. You cannot use a personal Outlook account to register.

Once you consent to registering the application, you are returned to the CloudTruth application where you can supply the Key Vault name that you want CloudTruth to use:

Finally, once you submit this form, CloudTruth will finalize the integration and test the Key Vault access to see if permissions are correct. For a Key Vault that exists, but has not yet had the Azure IAM permissions updated, it may look like this:

Configuring Azure Access Control

Azure Key Vaults have two types of access policies. In either case you need to grant the CloudTruth application secrets access to your Key Vault. We recommend you use Azure Role Based Access Control, however either mode will work. In the following example the Key Vault is using Azure Role-Based Access Control:

In the Azure Portal console if you navigate to your Key Vault, you can add a Role Assignment for the CloudTruth application so that it can access your data. If you are using Azure Role Based Access Control follow these instructions, otherwise you can add secrets access through the Access Policies page:

Select a role for CloudTruth. Be sure to choose one of the correct roles for secrets access:

Then select the CloudTruth application:

Now back in the CloudTruth application, click the status refresh icon next to the integration error:

If you configured access control properly, the integration status will show as Connected:

Removing the Integration

In the CloudTruth portal you can delete the Key Vault integration.

In the Azure Console you can navigate to:

• Azure Active Directory

  • App Registrations

    • CloudTruth

From there, you can delete the registration in your Azure account.