Getting Started with Azure Key Vault
What is Azure Key Vault?
Azure Key Vault is a cloud service for securely storing and accessing secrets, encryption keys, and certificates. It helps solve the following problems:
- Secrets Management: Securely store tokens, passwords, API keys, and other secrets
- Key Management: Create and control encryption keys for your data
- Certificate Management: Provision, manage, and deploy SSL/TLS certificates
- Hardware Security Module (HSM) Support: Protect keys with FIPS 140-2 Level 2 validated HSMs
How to Use It
Creating a Key Vault
Using Azure CLI
# Create resource group
az group create --name rg-keyvault --location eastus
# Create Key Vault with soft delete and purge protection
az keyvault create \
--name kv-myapp-prod \
--resource-group rg-keyvault \
--location eastus \
--enable-soft-delete true \
--enable-purge-protection true \
--retention-days 90
Using Azure Portal
- Navigate to Key Vault in Azure Portal
- Click + Create
- Select subscription and resource group
- Enter unique vault name (3-24 characters, alphanumeric and hyphens)
- Choose region and pricing tier (Standard or Premium with HSM)
- Configure Access Configuration (Azure RBAC recommended over legacy access policies)
- Enable Soft delete (90-day retention recommended)
- Enable Purge protection for production vaults
- Review and create
Storing and Retrieving Secrets
# Store a secret
az keyvault secret set \
--vault-name kv-myapp-prod \
--name db-connection-string \
--value "Server=myserver;Database=mydb;User=admin;Password=P@ssw0rd"
# Retrieve a secret
az keyvault secret show \
--vault-name kv-myapp-prod \
--name db-connection-string \
--query value -o tsv
# List all secrets
az keyvault secret list --vault-name kv-myapp-prod -o table
Managing Encryption Keys
# Create an encryption key
az keyvault key create \
--vault-name kv-myapp-prod \
--name my-encryption-key \
--protection software \
--kty RSA \
--size 2048
# For HSM-protected keys (Premium tier only)
az keyvault key create \
--vault-name kv-myapp-prod \
--name my-hsm-key \
--protection hsm \
--kty RSA-HSM \
--size 4096
Terraform Example
# Create Key Vault
resource "azurerm_key_vault" "main" {
name = "kv-${var.project}-${var.environment}"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
# Security features
soft_delete_retention_days = 90
purge_protection_enabled = true
# Network security
network_acls {
default_action = "Deny"
bypass = "AzureServices"
ip_rules = ["203.0.113.0/24"]
virtual_network_subnet_ids = [azurerm_subnet.private.id]
}
# Enable Azure RBAC for data plane
enable_rbac_authorization = true
}
# Store a secret
resource "azurerm_key_vault_secret" "db_password" {
name = "database-password"
value = random_password.db_password.result
key_vault_id = azurerm_key_vault.main.id
}
# Grant access using RBAC (recommended)
resource "azurerm_role_assignment" "secrets_user" {
scope = azurerm_key_vault.main.id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_user_assigned_identity.app.principal_id
}
CI/CD Integration
GitHub Actions
name: Deploy with Key Vault Secrets
on: [push]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Azure Login
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Get secrets from Key Vault
uses: azure/get-keyvault-secrets@v1
with:
keyvault: "kv-myapp-prod"
secrets: 'db-connection-string, api-key, storage-account-key'
id: keyvault
- name: Use secrets in deployment
run: |
echo "Deploying with connection string"
# Secrets available as: ${{ steps.keyvault.outputs.db-connection-string }}
Azure DevOps
variables:
- group: KeyVaultSecrets # Variable group linked to Key Vault
steps:
- task: AzureKeyVault@2
inputs:
azureSubscription: 'Production'
KeyVaultName: 'kv-myapp-prod'
SecretsFilter: '*'
RunAsPreJob: true
Best Practices
Use Managed Identities for Access
❌ Avoid: Storing Key Vault credentials in application code or environment variables ✅ Use: Assign Managed Identity to your application and grant Key Vault permissions
# Assign system-assigned managed identity to VM
az vm identity assign \
--resource-group rg-app \
--name vm-app-01
# Grant Key Vault Secrets User role
az role assignment create \
--role "Key Vault Secrets User" \
--assignee <managed-identity-principal-id> \
--scope /subscriptions/{sub-id}/resourceGroups/rg-keyvault/providers/Microsoft.KeyVault/vaults/kv-myapp-prod
Enable Soft Delete and Purge Protection
- Soft Delete: Retains deleted vaults and secrets for 7-90 days (90 recommended)
- Purge Protection: Prevents permanent deletion during retention period
- Critical for Production: Always enable both for production environments
Use Azure RBAC Over Access Policies
- Modern Approach: Azure RBAC provides centralized access management
- Granular Control: Built-in roles like Key Vault Secrets User, Key Vault Crypto Officer
- Consistency: Same access control model as other Azure resources
Implement Network Security
# Restrict access to specific networks
az keyvault network-rule add \
--name kv-myapp-prod \
--resource-group rg-keyvault \
--vnet-name vnet-prod \
--subnet subnet-app
# Set default action to deny
az keyvault update \
--name kv-myapp-prod \
--resource-group rg-keyvault \
--default-action Deny
Use Private Endpoints
For production workloads, disable public access and use Private Link:
- Secrets never traverse public internet
- Integrated with VNet DNS resolution
- Compliant with zero-trust security model
Secret Rotation Strategy
- Automate Rotation: Use Key Vault's integrated rotation for supported services
- Versioning: Key Vault maintains secret versions automatically
- Monitoring: Set up alerts for expiring secrets and certificates
Things to Avoid
❌ Don't hardcode secrets in application code, even temporarily ❌ Don't use access policies for new deployments (use RBAC) ❌ Don't grant overly permissive access (e.g., Key Vault Administrator for apps) ❌ Don't disable soft delete and purge protection in production ❌ Don't allow unrestricted network access in production vaults ❌ Don't store non-sensitive configuration data in Key Vault (use App Configuration) ❌ Don't share secrets across multiple environments (dev/prod) ❌ Don't neglect to monitor access logs and failed authentication attempts
✅ Do use separate Key Vaults for different environments ✅ Do implement least privilege access with RBAC ✅ Do enable diagnostic logging to Log Analytics ✅ Do use managed identities for service-to-service authentication ✅ Do regularly review and audit access permissions ✅ Do implement secret expiration dates and rotation ✅ Do use Premium tier with HSM for highly sensitive keys
Monitoring and Logging
Enable Diagnostic Settings
# Send logs to Log Analytics
az monitor diagnostic-settings create \
--name KeyVaultLogs \
--resource /subscriptions/{sub-id}/resourceGroups/rg-keyvault/providers/Microsoft.KeyVault/vaults/kv-myapp-prod \
--logs '[{"category": "AuditEvent", "enabled": true}]' \
--metrics '[{"category": "AllMetrics", "enabled": true}]' \
--workspace /subscriptions/{sub-id}/resourceGroups/rg-monitoring/providers/Microsoft.OperationalInsights/workspaces/law-prod
Key Metrics to Monitor
- Vault Availability: Target 99.9%+
- Total API Hits: Monitor for unusual spikes
- Failed Requests: Investigate authentication failures
- Latency: Service API latency (P95, P99)
Set Up Alerts
# Alert on failed authentication attempts
az monitor metrics alert create \
--name FailedKeyVaultAuth \
--resource-group rg-keyvault \
--scopes /subscriptions/{sub-id}/resourceGroups/rg-keyvault/providers/Microsoft.KeyVault/vaults/kv-myapp-prod \
--condition "count ServiceApiResult == 401 > 10" \
--window-size 5m \
--evaluation-frequency 1m
Common Use Cases
- Application Secrets: Database connection strings, API keys
- Encryption Keys: For Azure Storage, Disk Encryption, Always Encrypted
- SSL/TLS Certificates: Automated provisioning and renewal
- DevOps Pipelines: Secure credential storage for CI/CD
- Bring Your Own Key (BYOK): Import your own encryption keys
- Signing Operations: Code signing, document signing