Integrate with Azure Key Vault
- Karl Henselin
- Abhishek Jadhav (Unlicensed)
- Victor Krieg
- Chandresh Patel
FlexDeploy provides out of box integration with Azure Key Vault to retrieve secrets. FlexDeploy will authenticate using the OAuth 2.0 authentication method.
Azure Key Vault Setup
Create new App registration in the Azure Portal. You can leave the Redirect URL blank.
Create a new Client Secret in the Certificates & secrets section in the created app registration.
Copy the secret as this is the last chance you have to do so.
Provide the Key Vault Secrets User role to the created app registration in the desired Key Vault's Access policies section (for Vault access policy) or Access control (IAM) section (for Azure role-based access control).
Here are screenshots for IAM setup.
FlexDeploy Setup
You must first create a Credential Store in FlexDeploy by clicking the + Create button on Configuration - Integration - Credential Store page. The credential store represents an instance of a specific type of credential store provider. If you have more than one Azure Key Vault, you will create an equal number of Credential Stores in FlexDeploy.
Here are the configurations necessary for this store.
Property Name | Notes | Example |
|---|---|---|
Vault URL | HTTP URL for Azure Key Vault. | https://mycompany.vault.azure.net |
Tenant ID | Azure Tenant ID or Directory ID. | as per your Vault configurations |
Client ID | The Application ID of the application registered in the Azure Portal. | as per your Vault configurations |
Client Secret | Client Secret generated in Azure Portal. | as per your Vault configurations |
Azure Resource | The App ID URI of the target web API. | https://vault.azure.net/ |
Grant Type | Authentication Credential Grant Type. | client_credentials |
API Version | Version of the Azure REST API. | 2016-10-01 |
Now you are ready to create an individual credential to be retrieved from the Key Vault.
You can 1:create or 2:edit credentials from the Credentials page or from where the specific credential is used.
Azure Key Vault Credential requires input as described below.
Input Name | Notes |
|---|---|
Secret Name | Secret name for secret value. Secret names can also be entered in the format SecretName/Version to retrieve a specific version of the secret. |
Here is what the edit credential popup looks like.
Create credential looks similar except you need to provide Scope as well. The scope can not be changed once the credential is saved.
You can change credential inputs (Secret Name) at any point. FlexDeploy will use these inputs with credential store properties like Vault URL, Client ID, and Client Secret to retrieve individual credentials for use during Workflow Execution.
- style