Genpact Cora Knowledge Center

Support

Fetch secret values from the Azure Key Vault

V9.6.1

Overview

You can use an Azure Key Vault to securely store tokens, passwords, certificates, and other secret values like connection strings. It also helps you to manage encryption keys and certificates. With Azure Key Vault there are almost no chances that secret values may be accidentally leaked as the values are no longer stored in the Cora SeQuence application configuration files. 

Functionality

The Azure Key Vault keeps secure your secret values in the configuration files and prevents them from getting accidentally leaked or stolen. 

To apply these configurations, use the Set-CoraSeQuenceApplicationConfiguration PowerShell function.

Prerequisites

You need to have an Azure Key Vault to store the secrets. In addition, you need to create an Azure Active Directory Application and service principal that is used to access the secrets. You also need to create a secret for the application. 

For the key vault you have created for the service principal, grant a minimum of “Get” and “List” permissions using the access policy. 

Add the following environment variables on the Cora SeQuence machine:

Environment variableDescription
AZURE_TENANT_IDthe ID of the tenant (directory) where the AD application is registered
AZURE_CLIENT_IDthe ID of the application (client) that you created to read the secrets
AZURE_CLIENT_SECRETthe secret for the Azure Active Directory application
SEQ_KEYVAULT_NAMEthe name of the key vault that holds the secrets
ENV_PREFIX (Optional)the prefix for the names of the secrets in the vault

Make sure to follow the exact naming convention for all the environment variables.

Using the Azure Key Vault configurations

You can use the following Azure Key Vault configurations to pull secret information from an Azure Key Vault. 

Azure Key Vault configuration nameParent configurationSecret
AzureKeyVaultFilesStorageConnectionNone
  • Credentials: Cora SeQuence encrypted credentials to connect to the database
  • Connection string: the connection string to the Cora SeQuence database.
AzureKeyVaultPersistence
AddFilesStorageConnection
filesStorage-storageProviders-<name of provider>-connection-connection string to the storage provider
The Name of the provider must be same as the name configured in the application.
AzureKeyVaultOpenIdConnect
OpenIdConnect
identity-openIdConnect-ClientSecret

The system automatically applies the matching standard configurations for Azure Key Vaults however, you need to provide token values of the standard configuration. Parent configurations indicate that additional transformations will take place. While applying configurations, provide the tokens required by the parent configurations.