Interacting with Key Vault from Logic Apps securely
When you are building out different Logic Apps (or Microsoft Sentinel Playbooks) it’s a best practice to never expose your passwords or API Keys in plain text within your Logic Apps. If you do, every user/administrator with read access to your environment will have access to your keys. In order to better protect your environment, you should be using Azure Key Vault. During this blog post, I’ll provide a an introduction into Azure Key Vault, how to set it up securely and how to interact with it from within a Logic App.
Introduction into Azure Key Vault
Azure Key Vault is an Azure resource which can be used to securely store secrets, keys and certificates in. It provides granular access control and extensive logging which makes it perfect in order to secure API keys with. While Azure Key Vault is hosted on the Azure platform, it can also be used for scripts or services running on-premises (or in another cloud).
Setting up an Azure Key Vault is extremely easy as it requires little to no configuration initially. During the setup, you’ll be asked to enable or disable purge protection. Purge Protection is a feature which will retain the vault and it’s secrets if it is deleted from the Azure Portal. I recommend enabling this as you are protected from a malicious actor or disgruntled employee.
After you have the vault is created, it’s time to create your first secret. Select secrets in the blade on the left hand side and click generate/import to create a new secret. After you click ‘create’, the secret will be saved to the vault.
After you have saved your secrets within the Key Vault, you are ready to retrieve them in your Logic App. In order to retrieve secrets, the Logic App needs to authenticate to the Key Vault first. This can be done in three different ways:
- User account authentication
- Service Principal Authentication
- Managed Identity Authentication
The first method, authenticating through a user account, is something I do not recommend as this binds the Logic App to your account. If your account gets removed or you update your credentials, the Logic App stops working.
The second and third option are pretty similar in the way that both will authenticate by using an app registration which is created within Azure Active Directory. If you use Service Principal Authentication, you will have to manually create a new app registration and create the correct secrets in order to log in with it.
By using a Managed Identity, the Logic App will create an enterprise application itself and will manage the secrets it’s self. This means you don’t have to worry about rotating the secret , this will be done by the Logic App.
Because the Managed Identity means you have one less app registration to worry about, I recommend to use a Managed Identity where ever possible. In order to create a Managed Identity, you need to enable it on the Logic App. Navigate to Identity, change the Status to On and confirm the creation of the managed identity.
After you have enabled the Managed Identity within the Logic App, you’ll need to configure the Key Vault to allow the Logic App to retrieve secrets. Configuring who has access to the Key Vault happens through Access Policies. Within an access policy you can configure which principal receives specific permissions. They allow for extremely granular configuration which allows you to specific that the Logic App can retrieve secrets, but can’t delete or edit them.
In order to configure access policies, navigate to the Key Vault and select Access policies in the left hand menu. Select Add Access Policy to provide access to a new principal.
Then you have the option to add an access policy. Our Logic App only needs to retrieve a secret so you’ll have to select the Secret Permissions – Get permission. In order to select the correct principal, search for the Managed Identity of our Logic app (the name of the Managed Identity is the same as the name for the Logic App). After selecting the correct principal, click Add.
While you might think the configuration is done now, it’s important to commit your changes by clicking save at the top of your screen. If you don’t save your changes, the access policy will not be updated.
After you have provided the Logic App with least privileged access, it’s best practice to validate the other access policies and check if they are required. The creator of a Key Vault automatically receives full control on the Key Vault. I prefer to completely remove my permissions on the Key Vault as I don’t need access to the keys itself. You can delete your user from the Key Vault entirely. If you need to view or update secrets at a later stage, you can always create a new access policy and provide the correct permissions.
Key Vault Firewall
Even though we have limited access to the Key Vault to certain authenticated users by using Access Policies, it’s also recommended to enable the Firewall to ensure requests to the Key Vault are only coming from specific networks.
By default, a Key Vault will accept traffic from every network which isn’t something you want. Each Azure Key Vault has a built-in Firewall which allows you to configure from which locations it’s accessible. There are multiple configurations possible:
- Allow Azure Virtual Network
- Configure Private Endpoints
- Allow Public IP addresses
As Logic Apps don’t integrate with virtual network/private endpoints by default (This requires the Standard plan), we’ll configure the firewall to allow the outgoing IP addresses of our Logic App.
Each Logic App has a couple of predefined IP addresses it’ll use to go out to the internet. These are static and will not change regularly. If Microsoft does update them, you’ll be notified through email.
In order to retrieve these IP addresses, navigate to your Logic App, select properties and find the Connector outgoing IP addresses. Copy these to your clipboard and navigate to the Key Vault.
Within the Key Vault, select the networking tab and configure the following settings:
- Update the Allow access from setting to selected networks
- Add the IP addresses you retrieved from the Logic App
- Click Save
Now the Key Vault is secured in two ways:
- It will only accept connections coming from the Logic App
- Before the Logic App is allowed to interact with the Key Vault it’ll need to authenticate using the Managed Identity (configured in the Access Policy).
Note: If you want to interact with secrets in the Key Vault through the Azure Portal, you’ll have to whitelist your own public IP as well.
Retrieving the secret
With all of the permissions and security setup, it’s time to retrieve the secret in the Logic App. To do so, create a new action and use the Get secret action.
As discussed before, we need to decide on the way of authenticating to the Key Vault. As we have setup a Managed Identity, choose Connect with managed identity.
After you have selected the correct authentication method, you’ll need to add a few details before you are able to authenticate. Provide the following information and select create.
- Connection name: Name used for the API connection resource which will be created. The exact name is up to your choosing. I like to include the fact that this is a connection with a Managed Identity and the vault it connects to.
- Vault name: Exact name of the Key Vault you want to authenticate to
After you have created the connection, you provide the name of the secret you wish to retrieve. As we have only provided the Secret – Get permission and not the Secret – List, we can’t see a list of all available secrets within this Key Vault. In order to choose the correct secret, we’ll need to choose Enter custom value and provide the secret name manually.
With all of this configured, you are ready to use the secret in the subsequent steps of your Logic App. One thing to watch out for is that the secret will be logged in plain text throughout the run history. This means that everybody with read permission on the Logic App will be able to view to secret.
In order to avoid this, we can configure a setting called ‘secure output’ which is available for this Logic App action. By enabling secure output, we’ll ensure that the output of this step is obfuscated and the secret will be obfuscated everywhere you’ll use it.
To configure secure output, select the settings for the get secret step and enable secure outputs.
By configuring this setting, you’ll notice the output is obfuscated for everybody viewing the Logic App run history.
While setting up new Logic Apps is relatively easy, there is a not you need to keep in mind while using secrets or API tokens throughout. By using an Azure Key Vault and locking it down, you’ll ensure your Logic Apps stay secure.
Thank you – it was very helpful