Azure Managed Application Publisher / ISV Access to Azure Key Vault in Managed Resource Group in Customer Subscription

In this article, we look at a scenario where Azure Managed Application publisher (aka Independent Software Vendor or ISV) needs to be able to use their publisher identity to create/delete secrets (e.g. connection string) in Azure Key Vault that is in the Managed Resource Group (MRG) in the customer’s Azure subscription so that other resources (e.g. Web Apps, VMs) running in the MRG can use these secrets.

Challenge

Azure Key Vault resource and its data-plane access policies are tied to a specific Azure Active Directory tenant (i.e. there is a tenantId property in Azure Key Vault resource) and resources deployed in the managed resource group in the customer subscription need to be able to use the secrets in Azure Key Vault. Therefore, Azure Key Vault must be tied to the customer’s tenant.

  • Publisher cannot access the Key Vault in the Managed Resource Group because the Key Vault is tied to the customer’s Azure AAD tenant (this is the challenge)

Potential Approaches

Publisher can “proxy” access to the Azure Key Vault data-plane API in the Managed Resource Group (MRG) through either of:

Pseudocode for data-plane Managed Identity “proxy” approach

Below is the pseudocode of the “proxy” approach using Managed Application identity.

az rest --method GET --uri /subscriptions/{CUSTOMER_SUBSCRIPTION_ID}/resourceGroups/{MANAGED_APP_RG}/providers/Microsoft.Solutions/applications/{MANAGED_APP_NAME}?api-version=2019–07–01 --query identity.principalId -o tsv
az keyvault set-policy --secret-permissions list get set delete --object-id PRINCIPAL_ID_OF_THE_MANAGED_APP_SYSTEM_ASSIGNED_IDENTITY --name KEYVAULT_NAME
az rest --method POST --uri /subscriptions/{CUSTOMER_SUBSCRIPTION_ID}/resourceGroups/{MANAGED_APP_RG}/providers/Microsoft.Solutions/applications/{MANAGED_APP_NAME}/listTokens?api-version=2019–07–01 --headers Content-Type=application/json — body "{authorizationAudience: 'https://vault.azure.net'}" -o json
curl -X PUT -H "Content-Type: application/json" -H "Authorization: Bearer {ACCESS_TOKEN}" https://KEYVAULT_NAME.vault.azure.net/secrets/secret1?api-version=7.1 -d "{\"value\": \"secret1_value\"}"

Principal Engineer / Architect, FastTrack for Azure at Microsoft

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store