Typical scenario in application deployment is to secure app
secrets in config files like passwords. It is best to use key vaults to store
them obviously, however if we have code already developed and don’t want to
make changes in code to consume secrets from vault here is a trick we can use.
Azure key vault can
be used to secure secrets and certificates and sensitive data in cloud. Azure
key Vault is a service that allows users to encrypt keys and store them.We can
encrypt keys and secrets such as authentication keys,storage account
key,password,etc.
Here, is demonstration of how we can secure db password
using key vault in configuration file.
Pre-requisites:
-
A subscription to Microsoft Azure.
-
Jenkins server
-
Sample application where you have credentials stored in
config files
Step 1 : Create “App registration”
1.Login to Azure portal
2.Go to more services and search app registrations
3.Click on New app
registration Button.
Enter Following Information:
Name: <Enter Application
Name>
Application type : Web App /API
Sign-On URL : <http://localhost:12345>
For more information you can check azure Document .
Once we complete registration , Azure assigns our application a
unique Application ID .Copy this Application
ID , Also copy App Secret . we need this in Jenkins configuration.
Step 2 : Create Azure key Vault
1.Login to Azure portal
2. Click on New → Security + Identity
3. Choose Key Vault
4.Click On Add.
Create New Key Vault.Fill Appropriate information in given
blade.
For Authorisation purpose , we need to add service principle
to key vault. for this we will be using our app ‘azure_vault_auth’. Go ahead
and type app name in service principle .Also give permission as required in
access policies
Step 3 : Adding Your secrets to Azure
Key Vault
1.Go to key vault you created.
2.Select Secrets Under Settings
3.Create secret key.Provide Name and value of key.
Check Key created.
Now, We have added our secret key in azure Key vault.We need
to integrate Azure Key Vault with Jenkins.
Step 4: Install and configure azure
key vault plugin in jenkins
1.Compile Azure vault plugin
#cd azure-keyvault-plugin/
#apt-get install maven
#mvn install -DskipTests
#cd target/
After compilation we will get hpi file which is jenkins plugin file. This hpi file can be found in target folder . we will upload this to jenkins now.
Here , we can all content ,We just need azure-keyvault.hpi
file.
Copy it to home folder of user you are logged in:
#cp azure-keyvault.hpi /home/ubuntu/
Copy azure-keyvault.hpi
on local machine.
Note: You can perform this build operation on local machine itself
and upload plugin to jenkins.
2. Install Azure vault plugin
Login to jenkins server
Go to manage jenkins -> manage plugin -> Advanced
->
Upload azure-keyvault.hpi
file from local machine.
Save the changes.
Click on restart Jenkins after plugin is installed.
3.Configure Azure vault plugin
Manage
Plugin → configure system → Azure Key Vault Plugin
Provide following information as
per your azure account and key vault:
Key Vault URL:The URL at which your
KeyVault is located (e.g. https://YOURKEYVAULT.vault.azure.net)
Application ID: An Application ID in
Azure Active Directory that has permission to access Key Vault.
Application Secret : An authentication token
used by your Application ID to access Azure Active Directory
Save changes.
Add Environment
Variable :
Manage
Plugin → Configure system →Global Properties
Add variable “DB_URL” or anything you want.Provide dummy
value to it.This value will be replaced by azure key vault value.
Step 5 : Configure Sample Jenkins Job
1.Go to the
Jenkins dashboard and Click on New Item.
2.Select FreeStyle project
3. In Source Code
management:
Choose Git project
Provide Repository and Credentials for sample project.
4. Build Environment:
Choose Azure
Key Vault Plugin.
Provide
information such as secret type ,key name and version of key.
In jenkins ,
we will replace actual value of azure key while performing build.
Sample
config.properties file is as below:
DBserver =
DB_URL
DBUser =
testuser
Build:
Execute shell
cd
$WORKSPACE/src
sed -i "s@DB_URL@$DB_URL@g"
app.properties
You can have
any config file in key value pair or anything else.Just keep secrets as
variable names , which will be replaced by actual value from key vault by
jenkins.
We can secure our application secrets without changing
application.If you are flexible to change application then you can go for it
with azure key vault.
Nice, thanks! Not being familiar with Jenkins, what is not clear to me, is whether it is possible to integrate a Jenkins server to multiple Azure Key Vaults (via multiple plugins, or any other way)? Typically in large enterprises, secrets will be partitioned across applications by using multiple Key Vaults. Trying to understand can that scenario be supported?
ReplyDeleteHi Sujay,
ReplyDeleteYes. I agree with your comment. It is typical scenario where one application has multiple key-vaults with diff authorisations level. Plugin we used has provision to override default key-vault url to integrate multiple key-vaults for single application. Hope this clarifies your query. I would like to know if you need more information on this. I am reachable at pravin.magdum@crevise.com
How responsive are they to offering a quote and answering your questions? If they are tough to reach or slow to respond now, it will only get worse in the future.
ReplyDeleteduplicate key maker
Leveraging of technology for HR would mean digitizing the mundane HR activities and automating the back office and transactional activities related to recruitment, performance management, career planning, and succession planning, training and knowledge management. guarantor loans
ReplyDeleteFor example, locksmith tools required to install huge alarm systems will be different from the ones required to make duplicate keys after one has either lost his keys or locked the door by leaving them inside.where to get keys made near me
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteDiscussing the innovation, it appears that product and applications are additionally developing, all things considered, and the development of iOS apps from couple of years is unquestionably can't be disregarded.google play review notifications
ReplyDeleteShabby locksmiths, the world over are respected to be only that, shoddy locksmiths. bend locksmith services
ReplyDeleteAt the point when the locCheap Towing
ReplyDeleteksmith touches base at the goal it is imperative to request recognizable proof, including a locksmith permit where one is pertinent.
A few violations are executed by office or hands on individuals who exploit others when they wouldn't dare hoping anymore. tow truck
ReplyDeleteThe experts at JC Manhattan Locksmiths pride themselves on providing the best local locksmith service to assist you. Contact us today for a FREE ESTIMATE and visit here https://www.jcmanhattanlocksmiths.com/
ReplyDeleteThis is the means by which you ought to approach supplanting the entryway locks of your car. car dealerships near me
ReplyDeleteOut of all the states, only fifteen of them require locksmith licensing, making it a crime work or even advertise as a locksmith without valid credentials. Check if your state is one of the 15 states on Google.
ReplyDeleteColorado Springs Locksmith
The world is moving to where each choice is information drivenFree Reprint Articles, and Azure Machine Learning can control a ton of those choices that would prompt Azure advancement. machine learning course in pune
ReplyDelete