Azure Key Vault

Azure Key Vault manages keys, secrets, and certificates in the Azure portal. Several functions in the Data Productivity Cloud require access to these resources.

---

Creating secrets in Azure Key Vault

1. Log in to your Azure portal account.
2. Browse to the Key Vaults service.
3. Click Create to open the Create a key vault page at the Basics tab.
4. Complete the following fields:
   • Resource Group: Select an existing resource group. We recommend you choose the same resource group that your Data Productivity Cloud agent will be launched in. To create a new resource group, read Create resource groups.
   • Key vault name: Give your new key vault a name.
   • Region: Select an Azure region.
   • Pricing tier: Select Standard or Premium pricing.
5. Click the Access Policy tab and review your permission model. Vault Access Policy is the default selection. If you want to select the Azure role-based access control instead, refer to Assign an access policy.
6. Click Review + create, and then click Create.
7. After a brief period, your key vault will be created. Under Next steps, click Go to resource.
8. The Overview tab will be displayed. Make a note of your Vault URI. You may need to invoke the ARN within the Data Productivity Cloud—when you create an agent, for example.

To create and store a secret:

1. Click Secrets in the sidebar, then click Generate/Import at the top.

2. Enter the following secret details.

   • Upload options: Select Manual.
   • Name: Enter agent-rsa.
   • Secret value: Enter your secret key. See the note below on multi-line secrets.

   Note

   • Azure Key Vault strips newlines from secrets being added via the graphical user interface (GUI), which will prevent your secrets from working. Read Store a multi-line secret in Azure Key Vault to work around this issue.

   • The following CLI command will maintain newlines:

     az keyvault secret set --vault-name <vault-name> --name <secet-name> --file <key-file-name>
     

3. Leave the other fields blank, and click Create.

---

Assign an access policy

Configure your access policy by selecting one of the following permission models:

• Vault Access Policy: The default permission model that determines whether a security principle, such as a user, application, or user group, can perform different operations on keys, secrets, and certificates.
• Azure role-based access control: An authorization system that provides fine-grained access management of Azure resources to grant access at a specific scope level by assigning appropriate Azure roles.

Follow these steps to set the permission model:

1. Click the Access policy tab in the Create a key vault process.
2. Choose your permission model.
3. Select your Resource access.
4. If you choose the default Vault access policy, continue to the next step. If you choose Azure role-based access control, continue to step 10.
5. Under the Access policies heading, click Create.
6. Use the Configure from a template drop-down menu to select an existing template.

7. Add the following Secret permissions:

   • Get
   • List

   Note

   • These permissions must be set for a secret, not a key or certificate.
   • In some scenarios, you may need additional secret permissions. See Additional configuration for CDC pipelines, below.

8. Click the Principal tab, and select your chosen principal. Only one principal can be assigned per access policy.

9. Click the Application (optional) tab and select an application. For more information, read Managed identities.
10. Click Review + Create, then click Create.

---

Access control IAM

Use the following steps to assign roles and grant access to your Azure Key Vault resource.

1. Access your existing Key Vault resource in your Microsoft Azure portal account.
2. Click on the intended key vault.
3. Click Access control (IAM) in the sidebar.
4. Click Add from the top menu, then click Add role assignment.
5. Select the Reader permissions.
6. Click Next.
7. In the Members tab, select the members you want to assign access to, add an optional description, and add your application.
8. Click Next, then click Review + assign.

---

Additional configuration for CDC pipelines

Some additional configuration is required to allow a CDC pipeline to be created from an agent deployed on Azure. In this scenario, complete the following steps.

Add your Azure user to the access policy for the chosen key vault:

1. In the Azure portal, find the key vault created from the CDC agent deployment.
2. In the left navigation menu, click Access Policies.
3. Click +Create.
4. Under Secret Permissions, select the following permissions:
   • Get
   • List
   • Set
   • Delete
5. Click Next.
6. Under Principle, search for your Azure username and select it.
7. Click Next, then click Next again.
8. Click Create.

Add a new secret in the key vault for the source database password:

1. In the Azure portal, find the key vault created from the CDC agent deployment.
2. In the left navigation menu, click Objects → Secrets.
3. Click +Generate/Import.
4. Enter the following details:
   • Name: The name that the Data Productivity Cloud will use to refer to the secret.
   • Secret Value: The password to be used when connecting to the CDC source.
5. Click Create.

Add a new secret to the key vault for storage account access key:

1. In the Azure portal, navigate to the storage account created from the CDC agent deployment.
2. In the left navigation menu, click Security + networking, then click Access keys.
3. Click the Show button next to the key value for Key1 or Key2.
4. Click the Copy button to copy the key that is now shown.
5. In the Azure portal, find the key vault created from the CDC agent deployment.
6. In the left navigation menu, click Objects, then click Secrets.
7. Click +Generate/Import.
8. Enter the following details:
   • Name: The name that the Data Productivity Cloud will use to refer to the secret.
   • Secret Value: The password storage key copied in step 4.
9. Click Create.