Handling app secrets with Azure Key Vault and Jenkins

Typical scenario in application deployment is to secure app secrets in config files like passwords. It is best to use key vaults to store them obviously, however if we have code already developed and don’t want to make changes in code to consume secrets from vault here is a trick we can use.

Azure key vault can be used to secure secrets and certificates and sensitive data in cloud. Azure key Vault is a service that allows users to encrypt keys and store them.We can encrypt keys and secrets such as authentication keys,storage account key,password,etc.

Here, is demonstration of how we can secure db password using key vault in configuration file.

Pre-requisites:

-       A subscription to Microsoft Azure.

-       Jenkins server

-       Sample application where you have credentials stored in config files

Step 1 : Create “App registration”

1.Login to Azure portal

2.Go to more services and search app registrations

3.Click on New app registration Button.

Enter Following Information:

Name: <Enter Application Name>

Application type : Web App /API

Sign-On URL : <http://localhost:12345>

For more information you can check azure Document .

Once we complete registration , Azure assigns our application a unique Application ID .Copy this Application ID , Also copy App Secret . we need this in Jenkins configuration.

Step 2 : Create Azure key Vault

1.Login to Azure portal

2. Click on New → Security + Identity

3. Choose Key Vault

4.Click On Add.

Create New Key Vault.Fill Appropriate information in given blade.

For Authorisation purpose , we need to add service principle to key vault. for this we will be using our app ‘azure_vault_auth’. Go ahead and type app name in service principle .Also give permission as required in access policies

Step 3 : Adding Your secrets to Azure Key Vault

1.Go to key vault you created.

2.Select Secrets Under Settings

3.Create secret key.Provide Name and value of key.

Check Key created.

Now, We have added our secret key in azure Key vault.We need to integrate Azure Key Vault with Jenkins.

Step 4: Install and configure azure key vault plugin in jenkins

1.Compile Azure vault plugin

#git clone https://github.com/mbearup/azure-keyvault-plugin.git

#cd azure-keyvault-plugin/

#apt-get install maven

#mvn install -DskipTests

#cd target/

After compilation we will get hpi file which is jenkins plugin file. This hpi file can be found in target folder . we will upload this to jenkins now.

Here , we can all content ,We just need azure-keyvault.hpi file.

Copy it to home folder of user you are logged in:

#cp azure-keyvault.hpi /home/ubuntu/

Copy azure-keyvault.hpi on local machine.

Note: You can perform this build operation on local machine itself and upload plugin to jenkins.

2. Install Azure vault plugin

Login to jenkins server

Go to manage jenkins -> manage plugin -> Advanced ->

Upload azure-keyvault.hpi file from local machine.

Save the changes.

Click on restart Jenkins after plugin is installed.

3.Configure Azure vault plugin

Manage Plugin → configure system → Azure Key Vault Plugin

Provide following information as per your azure account and key vault:

  Key Vault URL:The URL at which your KeyVault is located (e.g. https://YOURKEYVAULT.vault.azure.net)

 Application ID: An Application ID in Azure Active Directory that has permission to access Key Vault.

 Application Secret : An authentication token used by your Application ID to access Azure Active Directory

Save changes.

Add Environment Variable :

Manage Plugin → Configure system →Global Properties

Add variable “DB_URL” or anything you want.Provide dummy value to it.This value will be replaced by azure key vault value.

Step 5 : Configure Sample Jenkins Job

1.Go to the Jenkins dashboard and Click on New Item.

2.Select FreeStyle project

3. In Source Code management:

Choose Git project

Provide Repository and Credentials for sample project.

4. Build Environment:

Choose  Azure Key Vault Plugin.

Provide information such as secret type ,key name and version of key.

 5. We have stored our config file in gitlab . but we have replaced secret keys such as Database URL , password with variable like DB_URL ,DB_PWD .

In jenkins , we will replace actual value of azure key while performing build.

Sample config.properties file is as below:

DBserver = DB_URL

DBUser = testuser

Build:

Execute shell

cd $WORKSPACE/src

sed -i "s@DB_URL@$DB_URL@g" app.properties

You can have any config file in key value pair or anything else.Just keep secrets as variable names , which will be replaced by actual value from key vault by jenkins.

We can secure our application secrets without changing application.If you are flexible to change application then you can go for it with azure key vault.