Firstly, I am trying to connect my Azure Key Vault to my Encryption at Rest using your Key Management. I followed the guide on MongoDB documentation linkhttps://docs.atlas.mongodb.com/security-azure-kms/
image from MongoDB Atlas Setup
What I've done so far which havn't worked.
I have set up the application and added the client secret, the application has the role "Azure key Vault Reader" assigned to it through the subscription.
I have setup the Key vault under the same subscription as above - with its own resource group to match it. And generated the key.
The key has all the operations.
So I have the Application with Vault Key Reader access and the Key Vault containing the key.
Client(Application) ID is filled with info from the application.
Tenant ID is filled with tenant ID from the application.
Secret is created and stored in the application - is added. (Not the ID)
Subscription ID copied from key vault is added.
Resource group name copied from key vault is added.
Key Vault Name copied from key vault is added.
lastly the Key Identifier is copied from the vault and added.
Still I get this error - is there something wrong with the way I went about it?
I feel I have tried everything combination of setup but it seems like the credentials are setup in a wrong way which I do not understand since it was all copied directly from Azure.
"We were unable to connect to your Azure Key Vault account. Please check your credentials and try again."
"We were unable to connect to your Azure Key Vault account. Please
check your credentials and try again."
As per #Matt Small suggestion in the comment section, if we enable Azure Key Vault logging, we can check if the issue is with wrong credentials or with access policy or network related issue.
If the issue is with access, we can provide the Key Vault Contributor role or add an access policy to get, list permissions for Keys and Secrets for the service principal (App Registration)
As per #Hurup comment, Azure Key Vault Reader role was not enough and the role should not be under Resource Group. Giving the Application higher vault role and setting it under the subscription can resolve the issue
I had the exact same issue. In the end I figured out that I did not have to create the role assignment 'Have an Active Directory Application with the role of Azure key Vault Reader assigned to it.' on the active directory app, but on the Key Vault.
I followed the manual from MongoDb and then in a final step did;
Go to Key Vault
Select key vault
Select Access Control (IAM)
Select Grant access to this resource
Select role Key Vault Reader
Assign access to :User, group, or service principal
+Select Members
Type Application name
Review and assign...
After this I could save the settings on MongoDB to use encryption at rest.
Related
I'm using the set secret PUT API https://myvault.vault.azure.net/secrets/mysecret/ to either create or update an existing secret in my key vault.
The API calls still work for me for now. I'm wondering if there will be future changes to this API as the documentation for it is no longer available online and there's only mentions of powershell commands?
Please check if you are looking for this document , where you can find in keyvault blade > secrets .
Set-secret
:
PUT {vaultBaseUrl}/secrets/{secret-name}?api-version=7.2
This operation adds a secret to the Azure Key Vault. If it already
exists, Azure Key Vault creates a new version of that secret. Needs
secrets/set permission.
Update-secret :
PATCH {vaultBaseUrl}/secrets/{secret-name}/{secret-version}?api-version=7.2
The UPDATE operation changes specified attributes of an existing
stored secret. This operation requires the secrets/set permission.
I'm trying to configure Atlas with Customer Key Management
which seems fairly straightforward. However, if I create a new service principal/app registration in Azure to connect Mongo Atlas to my Azure key vault I get Invalid Azure Credentials as an error.
I create the service principal following this guide without any redirect URI. I tried all different account types but none worked for me. After creation, I create a new client secret and use it in the 'Secret'-field inside the Mongo Atlas UI.
What am I doing wrong?
I forgot to add the service principal as a Key Vault Reader to the subscription that holds the key vault.
Relevant documentation: https://www.mongodb.com/docs/atlas/security-azure-kms/#prerequisites
I have a scenario for using Azure Key vault.
I have stored a refresh token in Key Vault. Retrieved the token from key vault in ADF using the web activity. Call the service provider endpoint to generate the Access Token based on refresh token.
I want to store above generated Access token from ADF to Key Vault. How Can i do that?
I went through many articles but did not find any solution on storing the information generated in ADF to Key Vault.
Any help is much appreciated.
Thanks
You can make Rest API call from Azure Data Factory using web activity to store secret in to Azure Key Vault.
Here is the link for Rest API reference:
Sets a secret in a specified key vault.
The SET operation adds a secret to the Azure Key Vault. If the named secret already exists, Azure Key Vault creates a new version of that secret. This operation requires the secrets/set permission.
Set Secret - REST API (Azure Key Vault)
Learn more about [Key Vault Set Secret Operations].
In the quickstart it talks about creating a service principle for the current user. I want to have more of a hierarchical security structure. I would be the current user and I want to have "super-user" or admin rights to this key vault. However I have created another user that would have lower access rights. For both of these scenarios I gather I need to generate a unique service principle name. How do I generate a service principle name for an arbitrary Azure User?
You can just create another service principal name under your current account for this created user. And you just need to assign the lower access rights to the key vault for this service principal. Then the user can access to the key vault with this service principal which has lower access permission.
An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. You can create as many as service principals as you want for different access permissions. If you want to generate a service principal under the created user account, you might have to login as this created user. Otherwise, i am afraid it cannot be done.
You can also set the access permission for this user to this key vault directory without using service principal. See here
az keyvault set-policy --name keyVaultName --object-id userObjectId --secret-permissions permissions --key-permissions permissions
You can get the user's Object id with below command: See here
az ad user show --id <email-address-of-user>
I use the enstratus management/orchestration platform and I need to add the encoding key from my Azure account into it but I cant seem to find it, can anyone point me in the right direction please?
Thanks
Read all about it here. The basic gist is you'll have to create your own certificate locally and upload it to your Azure account.
http://docs.enstratius.com/clouds/azure/configuration.html?highlight=azure
For the new version of Enstratus, Dell Cloud Management, follow this procedure:
To add your Amazon account, you need the following information:
Account number
Access key
Secret access key
AWS certificate
AWS private key
If you don't have that information, follow these instructions to get your AWS account information.
To generate a new access keypair and X.509 certificate via the AWS web console:
Navigate to "Security Credentials" under your AWS account name.
Click on Account Identifiers at the bottom to find your AWS Account ID. Copy it to a notepad.
Click on "Create New Access Key". Note that AWS allows only two active keypairs.
Copy the Access Key ID and Secret Access Key.
Click on X-509 Certificates.
Download the Private Key File and X.509 Certificate.
Return to DCM and enter your AWS Account ID, Access Key ID, Secret Access Key, Certificate and Private Key.
Click Connect Cloud Account.