Vault integrations with Azure: Vault Azure Authentication method Vault Azure Secrets Engine Vault Azure Cloud Unseal

1. Copyright © 2018 HashiCorp
Secure and automated
workflows in
Azure with
Vault and Terraform

2. Copyright © 2018 HashiCorp
▪ Introduction
▪ Security and automation goals
▪ Vault Overview
– Secure Token Introduction
– Retrieving Secrets
– Seal/ Unseal
▪ Azure Use Cases
– Azure Auth Method
– Azure Secret Engine
– Azure Cloud Unseal
▪ ”Demo”
Agenda
2

3. Copyright © 2017 HashiCorp
Background
Stenio Ferreira
Sr. Solutions Engineer at Hashicorp
Prior experience:
• Software development,
• Startups,
• Consulting,
• Aspiring rock star
Hello!
Github, Twitter:
@stenio123

4. Copyright © 2018 HashiCorp
Security and Automation Goals
Automation:
• Repeatable and scalable deployments
• Version control history
• Easy to collaborate and share
Security:
• Reduce secret exposure
• Unique credentials per role
• Easy to revoke if compromised
Infrastructure as code!
(Terraform and Packer)
Platform authentication!
Dynamic secrets!
(Vault)

5. Copyright © 2018 HashiCorp
Vault Authentication and Authorization
Vault is an identity broker!

6. Copyright © 2018 HashiCorp
Secure Token Introduction
A Vault client needs a token proving its identity, and tied to Vault ACL policies
How to introduce this token without
• Hardcoding Vault credentials
• Hardcoding the token?
Trusted orchestrator!
• Define one orchestrator you trust:
- Azure
- AWS
- K8s
- Jenkins, etc
• This orchestrator will provide the IDENTITY of the client
• Configure Vault to check with orchestrator to validate the IDENTITY of a request
• Configure Vault to map ACL policies to these IDENTIES
• Client retrieves payload from orchestrator to prove IDENTITY (can use Vault Agent or custom logic)
• If valid, Vault returns the token with a TTL
Azure
Vault
Vault
Agent
Vault
token
VM
List of authentication methods: https://www.vaultproject.io/api/auth/index.html
Vault Agent docs: https://www.vaultproject.io/docs/agent/

7. Copyright © 2018 HashiCorp
Retrieving Secrets from Vault
▪ Vault CLI
– Vault binary can be used to issue commands, leveraging
env vars (VAULT_ADDR, VAULT_TOKEN, etc)
▪ cURL commands
– All Vault endpoints are reachable through API endpoints.
Pass token in request header
▪ Native Integration
– There are a variety of libraries that abstract the API calls
for developers (Java, GO, C#, Ruby, Python, etc)
▪ Consul Template/ Env
– Agent that externalizes Vault logic from the client
– Can manage token lifecycle and create a file or env var
with secrets
Assuming Token present, how can clients retrieve secrets from Vault?
Azure
Vault
VM
App
Consul
Template
File
w
Secrets
List of native integrations: https://www.vaultproject.io/api/libraries.html

8. Copyright © 2018 HashiCorp
Vault Seal/ Unseal
Vault is a centralized secrets management solution that offers “break glass procedure” – if it is compromised, an admin
can seal it, preventing all access.
This is also useful to ensure Vault is in a non-compromised situation before it is “unsealed”, the state where it can
accept client requests.
Because of this, when first deployed, Vault starts in the “sealed” state. If there are any changes with the background
process or the binary, it also becomes “sealed”.
Until recently, only Shamir Secret Sharing was available for unsealing Vault without an Enterprise license. As of Vault
1.0, Cloud auto-unseal is now available in open source, supporting AWS, Azure and GCP.
Shamir Secret Sharing Cloud Auto-unseal
Vault Vault

9. Copyright © 2018 HashiCorp
Vault – Azure Use Cases
1- Azure Auth Method
• Can only be used by VMs
deployed in Azure
• Once authenticated, they can
leverage any Vault services their
ACL policy allows:
- Static secrets (K/V)
- Encryption as Service
- AWS dynamic secrets
- and more!
2- Azure Secret Engine
• Can be used by clients deployed
anywhere
• Will create a service principal with
previously defined permissions
• Or will rotate password of a
previously created service principal
3- Azure Cloud Auto-unseal
• Leverages Azure Key Vault for auto-
unseal
Vault
Where 1, 2 and 3 can happen at the same time, but not a requirement.

10. Copyright © 2018 HashiCorp
▪ You have followed best practices and instead of hardcoding a secret in your app,
you store it in Vault.
▪ You update the logic of the app (or keep same logic and use Consul Template),
so it knows how to retrieve secret from Vault.
▪ But before it can do that, the app needs a client token from Vault.
▪ This is the chicken and egg problem of what comes first.
▪ Assuming you are deploying in Azure, you can leverage the Azure Auth Method
to save you!
The same pattern is also valid for AWS, GCP, K8s, etc.
More info here: https://www.vaultproject.io/docs/auth/index.html
Use Case 1 – Azure Auth Method (1/2)

11. Copyright © 2018 HashiCorp
Use Case 1 – Azure Auth Method (2/2)
Azure
Vault
AppVault
Agent
Consul
Template
File
w
Secrets
Vault
token
VM
Azure
resource
2. Configure Vault
• Enable Azure auth method
• Enter Azure configs
• Create roles mapping
service principals, groups
or subscriptions to Vault
policies
1. Create Service Principal for Vault
• Create app
• Create service principal with “Owner” role
• Add and grant app permissions (MicrosoftGraph)
3. Configure Authentication
within VM
• Install and configure Vault
Agent
• Alternatively, you can create
a startup script that retrieves
and sends metadata to
Vault
* If you are following an Infrastructure as Code workflow, you can have a CI/CD tool deploy the VM image with the Vault address as a dynamic value on step 3
4. Retrieve Secrets
• If secret retrieval is
managed by your app,
nothing else to do
• If you are leveraging Consul
Template, you can configure
it in this step

12. Copyright © 2018 HashiCorp
▪ Your user or app needs to access a resource from Azure (Blob storage, vm, etc).
▪ You are following best practices, and don’t want to create static credentials managed through out-of-
band processes (open ticket, create by hand, etc).
▪ Benefits of dynamic secret:
– Ephemeral
– Self service
– Unique
– Easy to revoke
– Leverages Vault to manage Azure permission assignments
Use Case 2 – Azure Secret Engine (1/2)

13. Copyright © 2018 HashiCorp
Use Case 2 – Azure Secret Engine (2/2)
Azure
Vault
AppVault
Agent
Consul
Template
File
w
Secrets
Vault
token
VM
Azure
resource
3. Configure Vault (1)
• Enable Azure secret engine
• Enter Azure configs
• Create roles mapping to
Azure roles or service
principals, and the scope
1. Create Service Principal for Vault
• Create app
• Create service principal with “Owner” role
• Add and grant app permissions (Azure AD)
5. Retrieve Azure Creds
• App or user located
anywhere authenticates with
Vault
• Leveraging client token,
retrieve Azure creds
• Use creds. They can be
renewed if enabled.
2. Create Custom Azure
Roles (optional)
• Create custom Azure
roles
4. Configure Vault (2)
• Create a Vault policy
allowing reading the secret
• Associate this policy with
auth identity or Control
Group
App
Non-Azure Location
(Workstation, AWS, etc)

14. Copyright © 2018 HashiCorp
▪ You want to leverage Azure Key Vault to unseal your Vault automatically.
▪ You can still seal/unseal it manually as part of the regular break glass procedure.
▪ If Vault process restarted, and it has access to Azure Key, it will start unsealed.
▪ Caveat:
– If connection to Azure Key is lost, Vault will work normally.
– However if process is killed or Vault is manually sealed, it won’t be able to start until connection to
Azure key is restored.
Use Case 3 – Azure Cloud Unseal (1/2)

15. Copyright © 2018 HashiCorp
Use Case 3 – Azure Cloud Unseal (2/2)
Azure
Vault
Azure
Key Vault
# Config.hcl
…
Seal {
Azure creds
Azure vault name
Azure key name
}
…
1. Create Service Principal for Vault
• Create app
• Create service principal with “Owner” role
• Add and grant app permissions (Azure Key Vault)
2. Create Azure Key Vault
• Create Key Vault
• Create Key
• Grant permissions to
service principal
3. Create Vault config
• Add Azure info
3. Start Vault
• Safely store recovery key
• Safely store or revoke root
password once finished
Recovery
key
4. Seal/ Unseal
• Manual “Seal” and “unseal”
follow expected behavior –
use Recovery Key
• If Vault process is killed, or
needs restart, it will unseal
automatically
5. Seal Migration
• If desired, the seal can be
migrated to different stanza

16. Copyright © 2018 HashiCorp
▪ Source:
https://github.com/stenio123/azure-vault-terraform
Demo

17. Thank you.
hello@hashicorp.comwww.hashicorp.co
m