Where to store password for Azure key vault?

0
votes

I have a Java spring boot application (war) which is containerised and runs on Kubernetes in Microsoft Azure.

Recently we moved all our passwords to Azure Key Vault to make it all secure but now the question arises where to store password (service principal key) for Azure key vault itself?

Also, key vault credentials (service principals) are environment specific for DEV, UAT and PROD environments.

I thought about encrypting the password but then the question is where to put the encryption key? There has to be at least one starting point where password is stored not so securely.

Also, I do not want to use any third party libraries which are not from a trusted source e.g. Jasypt is out of the question.

Any ideas?

1
javaazurespring-bootazure-keyvault
i dont know how key vault works, but your deploy agent should fetch the application key from the vault during deployment, it should deploy the application, start it and feed the key into the application during startup as a parameter. But you have not disclosed what building system you are using, jenkins, travis, azure devops, etc etc - Toerktumlare

1 Answers

1
votes

One way is to store the Keyvault ID, Secret and URI in environment variables of your web app. A more secure way would be to use Managed Service Identities where you just use the keyvault name and your application connects to keyvault if appropriate permissions for the web app are given on Azure. This way you can fetch your keyvault variables with ease and in a much secure way. Read more here: https://docs.microsoft.com/en-us/samples/azure-samples/app-service-msi-keyvault-dotnet/keyvault-msi-appservice-sample/