Azure Key Vault to Manage Secrets In Production and Development

0
votes

It seems that Azure Key Vault doesn't support access policies assigned to groups; only ones assigned to users or service principals. It also supports a maximum of 10 access policies per key vault, which means I can't assign all of the people I want to have access individually.

I don't want to pass client secrets around to all developers. In the case of a deployed application, passing a single client secret so that the code can authenticate as a service principal and then get secrets is fine.

Developers authenticate to AAD via NTLM/Kerberos (via ADFS) to get an access token (not via a client secret). By acquiring this access token, they should be able to access securely stored forms of all other secrets required to run our application (just like the production code does when authenticating as a service principal).

How can I accomplish this?

1
adfsazure-keyvaultazure-active-directory

1 Answers

3
votes

Edit: Groups can now be associated to Key Vault access policies. Just specify the group's object ID where you would normally put the user object ID or the service principal object ID.

This is a bit of a painful work-around, but...

You could write a fairly simple app that adds a layer on top of Key Vault. This app (which could be a web app, an API or both) would be set up to use Azure AD for authentication, and would check the caller's group membership to determine if they should have access to a given secret. If they are, the app would retrieve the secret from Key Vault pass it along to the requester. (The app's service principal would be the one authorized on the Key Vault.)