Azure Key Vault
Azure Key Vault stores secrets that can be retrieved by virtual machines and containers running in Azure to manage dynamic application configuration. When you integrate CloudTruth with your Azure Account, CloudTruth will exist in your Azure Active Directory as an Enterprise Application, and will show up in the list of service principals that you can assign access rights to.
When you add an Azure Key Vault integration, the CloudTruth application will be registered into your Azure account. CloudTruth does not create any additional resources in your Azure account, and CloudTruth cannot access any resources unless you explicitly grant that access using Azure IAM. This application registration can added only with your consent. To initiate that consent, add an Azure Key Vault integration (in this example, we'll add one to the "Tuono" organization):
CloudTruth - Azure Key Vault Integration
After you authenticate with Azure you will be presented with a consent form to register the CloudTruth application in your Azure account:
Azure OAuth2 Application Install Consent Form
Please note that at the time of writing this, you must use an Office 365 business account. You cannot use a personal Outlook account to register.
Once you consent to registering the application, you are returned to the CloudTruth application where you can supply the Key Vault name that you want CloudTruth to use:
Selecting the Key Vault
Finally, once you submit this form, CloudTruth will finalize the integration and test the Key Vault access to see if permissions are correct. For a Key Vault that exists, but has not yet had the Azure IAM permissions updated, it may look like this:
Integration Error: No Permission
Azure Key Vaults have two types of access policies. In either case you need to grant the CloudTruth application secrets access to your Key Vault. We recommend you use Azure Role Based Access Control, however either mode will work. In the following example the Key Vault is using Azure Role-Based Access Control:
Selecting Azure Role Based Access Control
In the Azure Portal console if you navigate to your Key Vault, you can add a Role Assignment for the CloudTruth application so that it can access your data. If you are using Azure Role Based Access Control follow these instructions, otherwise you can add secrets access through the Access Policies page:
Azure Portal: Key Vault IAM
Select a role for CloudTruth. Be sure to choose one of the correct roles for secrets access:
Azure Key Vault Secrets Roles
Then select the CloudTruth application:
Assigning an Azure IAM Role
Now back in the CloudTruth application, click the status refresh icon next to the integration error:
If you configured access control properly, the integration status will show as Connected:
In the CloudTruth portal you can delete the Key Vault integration.
In the Azure Console you can navigate to:
- Azure Active Directory
- App Registrations
From there, you can delete the registration in your Azure account.