Skip to content

Latest commit

 

History

History
128 lines (71 loc) · 6.38 KB

create_sp_azure.md

File metadata and controls

128 lines (71 loc) · 6.38 KB
Raw

  1. Log into your azure portal

  2. Navigate to Azure active directory in the portal.

  3. Select "App registrations" from the menu.

  4. Click "+ New registration"

  5. Give it a name such as "keyfactor-akv" and leave the first radio button selected

    App Registration Overview

  6. Once the entity has been created, you should be directed to the overview view.

    App Registration Overview

  7. From here, copy the Directory (tenant) ID.

  8. Click on the underlined link above. You should see the managed application details that look similar to the below screen shot.

    App registration object Id

  9. Copy the Application (client) ID

  10. Now we have a App registration and values for Directory (tenant) ID, Application (client) ID. These will be used by the integration for authentication to Azure.

  11. (Optional) If creating a multi-tenant service principal, the following AzureAD Powershell command must be run in each tenant:

    New-AzADServicePrincipal -ApplicationId <Application ID>

Assign Permissions

In order to be able to discover and create new Azure Keyvault certificate stores, the app principal that we created must be provided with the "Keyvault Administrator" role at the Resource Group level.1 If there are multiple resource groups that will contain Key Vaults to be managed, you should repeat for each.

Here are the steps for assigning this role.

  1. Navigate to the Azure portal and select a resource group that will contain the Keyvaults we would like to manage.

  2. Select "Access control (IAM)" from the left menu.

  3. Click "Add", then "Add Role Assignment" to create a new role assignment

    Resource Group Add Role

  4. Search and Select the "Key Vault Administrator" role.

  5. Search and Select the principal we created.

    Select Principal

  6. Click "Review and Assign" and save the role assignment.

Assign Permissions for an Individual Key Vault via RBAC

If you only need to manage a single instance of a Key Vault and do not require creation and discovery of new Key Vaults, you can provision access to the specific instance without needing to provide the service principal the "Keyvault Administrator" role at the resource group level.

Follow the below steps in order to provide management access for our service principal to a specific instance of a Key Vault:

  1. Navigate to the Azure Portal and then to your instance of the Azure Keyvault

  2. Go to "Access control (IAM)" in the navigation menu for the Key vault.

  3. Click on "Add role assignment"

    Vault RBAC

  4. Find the Keyvault Administrator role in the list. Select it and click "Next"

    Vault RBAC KVAdmin

  5. On the next screen, click "Select members" and then search for the service principal we created above.

    Vault RBAC principal

  6. Select the service principal, click "select", and then "Next"

  7. On the final screen, you should see something similar to the following:

    Vault RBAC final

  8. Click "Review + assign" to finish assigning the role of Keyvault Administrator for this Key Vault to our service principal account.

Assign Permissions for an Individual Key Vault via Access Policy

Access to an Azure Key Vault instance can be granted via Role Based Access Control (RBAC) or with class Azure Resource Access Policies. The below steps are for provisioning access to a single instance of a Key Vault using Access Policies. If you are using RBAC at the resource group level (necessary for discovery and creating new Key Vaults via Keyfactor) we recommend following RBAC (above). Alternatively, you will need to assign explicit permissions to the service principal for any Key Vault that is using Access Policy for Access Control if the Key Vault should be managed with Keyfactor.

Following the below steps will provide our service principal with the ability to manage keys in an existing vault, without providing it the elevated permissions required for discovering existing vaults or creating new ones. If you've completed the steps in the previous section for the resource group that contains the Key Vault(s) you would like to manage and the Key Vault(s) are using RBAC, the below steps are not necessary.

  1. Navigate to the Azure Portal and then to your instance of the Azure Keyvault.

  2. Go to "Access Policies" in the navigation menu for the Key vault.

  3. Click "+ Add Access Policy"

  4. In the first drop-down, you can select "Certificate Management". This will select all certificate management permissions.

    Permission List

  5. Click "Select Principal" to open the search pane.

  6. Find the Application Registration we created above, select it, and click "Select".

    Select Principal

  7. Leave "Authorized application" unselected.

  8. Click "Add".

  9. After you are redirected to the "Access policies" view, you should see the App Registration listed under "APPLICATION".

  10. Click "Save" at the top of this view.

    Select Principal

Generate an Access Token

For authenticating to Azure via App Registration/Service Principal, we will need to generate an access token.

  1. Navigate to the App Registration we created earlier, in Azure Active Directory.
  2. Select "Certificates & Secrets" from the left menu.
  3. Click "+ New client secret"
  4. Give it a description such as "Keyfactor access"
  5. Select a valid expiration
  6. Click "Add".
  7. Copy the "Value" of the secret before navigating away.

Back to README

Footnotes

  1. If discovery and create store functionality are not neeeded, it is also possible to manage individual certificate stores without the need to provide resource group level authority. The steps to do assign permissions for an individual Azure Keyvault are described here for vaults using Access Policy based permissions and here for Individual Key Vaults using Role-Based Access Control (RBAC).