.png%3Falt%3Dmedia%26token%3Df1ea80d6-51a3-4edb-bfba-3349a6b8cf8f)
.png%3Falt%3Dmedia%26token%3Df1ea80d6-51a3-4edb-bfba-3349a6b8cf8f)
Azure Key Vault
Azure Key Vault stores secrets that can be retrieved by virtual machines and containers running in Azure to manage dynamic application configuration. When you integrate CloudTruth with your Azure Account, CloudTruth will exist in your Azure Active Directory as an Enterprise Application, and will show up in the list of service principals that you can assign access rights to.
Registering the CloudTruth Application
When you add an Azure Key Vault integration, the CloudTruth application will be registered into your Azure account. CloudTruth does not create any additional resources in your Azure account, and CloudTruth cannot access any resources unless you explicitly grant that access using Azure IAM. This application registration can added only with your consent. To initiate that consent, add an Azure Key Vault integration (in this example, we'll add one to the "Tuono" organization):
.png?alt=media)
CloudTruth - Azure Key Vault Integration
After you authenticate with Azure you will be presented with a consent form to register the CloudTruth application in your Azure account:
.png?alt=media)
Azure OAuth2 Application Install Consent Form
Once you consent to registering the application, you are returned to the CloudTruth application where you can supply the Key Vault name that you want CloudTruth to use:
Selecting the Key Vault
Finally once you submit this form, CloudTruth will finalize the integration and test the Key Vault access to see if permissions are correct. For a Key Vault that exists, but has not yet had the Azure IAM permissions updated, it may look like this:
.png?alt=media)
Integration Error: No Permission
Configuring Azure Access Control
Azure Key Vaults have two types of access policies. In either case you need to grant the CloudTruth application secrets access to your Key Vault. We recommend you use Azure Role Based Access Control, however either mode will work. In the following example the Key Vault is using Azure Role-Based Access Control:
.png?alt=media)
Selecting Azure Role Based Access Control
In the Azure Portal console if you navigate to your Key Vault, you can add a Role Assignment for the CloudTruth application so that it can access your data. If you are using Azure Role Based Access Control follow these instructions, otherwise you can add secrets access through the Access Policies page:
.png?alt=media)
Azure Portal: Key Vault IAM
Select a role for CloudTruth. Be sure to choose one of the correct roles for secrets access:
.png?alt=media)
Azure Key Vault Secrets Roles
Then select the CloudTruth application:
.png?alt=media)
Assigning an Azure IAM Role
Now back in the CloudTruth application, click the status refresh icon next to the integration error:
.png?alt=media)
Status Refresh
If you configured access control properly, the integration status will show as Connected:
.png?alt=media)
Connected Integration
Removing the Integration
In the CloudTruth portal you can delete the Key Vault integration.
In the Azure Console you can navigate to:
- Azure Active Directory
- App Registrations
- CloudTruth
From there, you can delete the registration in your Azure account.
Last modified 23d ago