ContextQMD
Back to Infisical

Azure Key Vault Connection

docs/integrations/app-connections/azure-key-vault.mdx

0.159.257.7 KB
Original Source

Infisical currently only supports two methods for connecting to Azure, which are OAuth and Client Secrets.

<Accordion title="Self-Hosted Instance"> Using the Azure Key Vault connection on a self-hosted instance of Infisical requires configuring an application in Azure and registering your instance with it.

Prerequisites:

  • Set up Azure and have an existing Key Vault instance.
<Steps> <Step title="Create an application in Azure"> Navigate to Azure Active Directory > App registrations to create a new application. 
  <Info>
    Azure Active Directory is now Microsoft Entra ID.
  </Info>
  ![Azure key vault](/images/integrations/azure-app-configuration/config-aad.png)
  ![Azure key vault](/images/integrations/azure-app-configuration/config-new-app.png)

  Create the application. As part of the form, set the **Redirect URI** to `https://your-domain.com/organization/app-connections/azure/oauth/callback`.
  <Tip>
    The domain you defined in the Redirect URI should be equivalent to the `SITE_URL` configured in your Infisical instance.
  </Tip>

  ![Azure key vault](/images/app-connections/azure/register-callback.png)
</Step>
<Step title="Assign API permissions to the application">

  For the Azure Connection to work with Key Vault, you need to assign multiple permissions to the application.

  #### Azure Key Vault permissions

  Set the API permissions of the Azure application to include `user.impersonation` for the Key Vault API.
  ![Azure key vault](/images/app-connections/azure/keyvault-azure-permissions.png)

</Step>
<Step title="Add your application credentials to Infisical">
  Obtain the **Application (Client) ID** in Overview and generate a **Client Secret** in Certificate & secrets for your Azure application.

  ![Azure key vault](../../images/integrations/azure-app-configuration/config-credentials-1.png)
  ![Azure key vault](../../images/integrations/azure-app-configuration/config-credentials-2.png)
  ![Azure key vault](../../images/integrations/azure-app-configuration/config-credentials-3.png)

  Back in your Infisical instance, add two new environment variables for the credentials of your Azure application.

  - `INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID`: The **Application (Client) ID** of your Azure application.
  - `INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET`: The **Client Secret** of your Azure application.

  Once added, restart your Infisical instance and use the Azure Key Vault connection.
</Step>
</Steps>
</Accordion> <Accordion title="Client Secret Authentication"> To use client secret authentication, ensure your Azure Service Principal has the required permissions and is connected to the Azure Key Vault instances you want to use.

Prerequisites:

  • Set up Azure and have an existing Key Vault instance.
  • The service principal must be connected to your target Azure Key Vault instance(s)
<Steps> <Step title="Assign API permissions to the service principal"> 
  Configure the required API permissions for your App Registration to interact with Azure Key Vault:

  #### Azure Key Vault permissions

  Set the API permissions of your Azure service principal to include `user_impersonation` for the Key Vault API.
  ![Azure key vault](/images/app-connections/azure/keyvault-azure-permissions.png)

</Step>
</Steps> </Accordion>

Setup Azure Connection in Infisical

<Steps> <Step title="Navigate to App Connections"> Navigate to the **Integrations** tab in the desired project, then select **App Connections**. ![App Connections Tab](/images/app-connections/general/add-connection.png) </Step> <Step title="Add Connection"> Select the **Azure Connection** option from the connection options modal. ![Select Azure Connection](/images/app-connections/azure/key-vault/select-connection.png) </Step> <Step title="Create Connection"> <Tabs> <Tab title="OAuth"> <Steps> <Step title="Authorize Connection"> You can optionally authenticate against a specific tenant by providing the Azure Tenant or Directory ID. 
        Now select the **OAuth** method and click **Connect to Azure**. 

        ![Connect via Azure OAUth](/images/app-connections/azure/key-vault/create-oauth-method.png)

        

      </Step>
      <Step title="Grant Access">
        You will then be redirected to Azure to grant Infisical access to your Azure account. Once granted,
        you will redirect you back to Infisical's App Connections page. ![Azure Key Vault
        Authorization](/images/app-connections/azure/grant-access.png)
      </Step>
    </Steps>
  </Tab>
  <Tab title="Client Secret">
    <Steps>
      <Step title="Create Connection">
        Fill in the **Tenant ID**, **Client ID**, **Client Secret** fields with the Directory (Tenant) ID, Application (Client) ID, Client Secret you obtained in the previous step.

        ![Connect via Azure OAUth](/images/app-connections/azure/key-vault/create-client-secrets-method.png)

        <Tip>
            You can optionally enable **Automatic Credential Rotation** for this connection. See the [Automatic Credential Rotation](#automatic-credential-rotation) section below for details.
        </Tip>
      </Step>
    </Steps>
  </Tab>
</Tabs>
</Step> <Step title="Connection Created"> Your **Azure Key Vault Connection** is now available for use. ![Assume Role AWS Connection](/images/app-connections/azure/key-vault/oauth-connection.png) </Step> </Steps>

Automatic Credential Rotation

When using the Client Secret authentication method, Infisical can automatically rotate the Client Secret of your Azure application on a recurring schedule. When enabled, Infisical will immediately generate a new Client Secret on connection creation and revoke the original one, ensuring that no external party retains access using the credentials you provided.

<Note> Automatic Credential Rotation is only available for the **Client Secret** authentication method. </Note> <Steps> <Step title="Locate the Key ID of your Client Secret"> Before enabling rotation, you'll need the **Key ID** of the Client Secret you are using to authenticate. Navigate to your App Registration in the Azure Portal, then go to **Certificates & secrets**. Copy the **Secret ID** (Key ID) of the secret you are providing to Infisical. 
    ![Azure Client Secret Key ID](/images/app-connections/azure/key-vault/credential-rotation-key-id.png)
</Step>
<Step title="Enable Automatic Credential Rotation">
    When creating or editing your connection, toggle on the **Automatic Credential Rotation** switch.

    ![Enable Automatic Credential Rotation](/images/app-connections/azure/key-vault/credential-rotation-toggle.png)
</Step>
<Step title="Provide the Client Secret Key ID">
    Enter the **Key ID** you copied in the previous step into the **Client Secret Key ID** field. Infisical uses this to revoke your original secret after generating a new one.

    ![Client Secret Key ID Field](/images/app-connections/azure/key-vault/credential-rotation-key-id-field.png)
</Step>
<Step title="Configure the Rotation Schedule">
    Set the **Rotation Interval** (in days) to define how often the credential should be rotated, and set **Rotate At** to the local time of day at which the rotation should occur.

    - **Rotation Interval** – How many days between each rotation.
    - **Rotate At** – The local time of day at which the rotation will be triggered.

    ![Rotation Schedule](/images/app-connections/azure/key-vault/credential-rotation-schedule.png)
</Step>
</Steps>