Sign InAPIIntegrationsGitHub

Azure Key Vault

Azure Key Vault stores secrets that can be retrieved by virtual machines and containers running in Azure to manage dynamic application configuration. When you integrate CloudTruth with your Azure Account, CloudTruth will exist in your Azure Active Directory as an Enterprise Application, and will show up in the list of service principals that you can assign access rights to.

Prerequisites

  • An Azure account. If you don't have one, you can sign up for a free trial here.

  • A Microsoft business email account. For registering Azure to CloudTruth, a personal Outlook email account will not work.

Registering the CloudTruth Application

When you add an Azure Key Vault integration, the CloudTruth application will be registered into your Azure account. CloudTruth does not create any additional resources in your Azure account, and CloudTruth cannot access any resources unless you explicitly grant that access using Azure IAM. This application registration can added only with your consent. To initiate that consent, add an Azure Key Vault integration (in this example, we'll add one to the "Tuono" organization):

CloudTruth - Azure Key Vault Integration

After you authenticate with Azure you will be presented with a consent form to register the CloudTruth application in your Azure account:

Azure OAuth2 Application Install Consent Form

Please note that at the time of writing this, you must use an Office 365 business account. You cannot use a personal Outlook account to register.

Once you consent to registering the application, you are returned to the CloudTruth application where you can supply the Key Vault name that you want CloudTruth to use:

Selecting the Key Vault

Finally, once you submit this form, CloudTruth will finalize the integration and test the Key Vault access to see if permissions are correct. For a Key Vault that exists, but has not yet had the Azure IAM permissions updated, it may look like this:

Integration Error: No Permission

Configuring Azure Access Control

Azure Key Vaults have two types of access policies. In either case you need to grant the CloudTruth application secrets access to your Key Vault. We recommend you use Azure Role Based Access Control, however either mode will work. In the following example the Key Vault is using Azure Role-Based Access Control:

Selecting Azure Role Based Access Control

In the Azure Portal console if you navigate to your Key Vault, you can add a Role Assignment for the CloudTruth application so that it can access your data. If you are using Azure Role Based Access Control follow these instructions, otherwise you can add secrets access through the Access Policies page:

Azure Portal: Key Vault IAM

Select a role for CloudTruth. Be sure to choose one of the correct roles for secrets access:

Azure Key Vault Secrets Roles

Then select the CloudTruth application:

Assigning an Azure IAM Role

Now back in the CloudTruth application, click the status refresh icon next to the integration error:

Status Refresh

If you configured access control properly, the integration status will show as Connected:

Connected Integration

Now you can use import or push actions to move content from and to your Key Vault.

Removing the Integration

In the CloudTruth portal you can delete the Key Vault integration.

In the Azure Console you can navigate to:

  • Azure Active Directory

    • App Registrations

      • CloudTruth

From there, you can delete the registration in your Azure account.

PreviousSecrets ManagerNextBitbucket Pipelines

Last updated

Was this helpful?