Use Azure Key Vault with Arcion #
Azure Key Vault offers cloud service for storing and accessing secrets such as usernames, passwords, and various database credentials.
Arcion supports Key Vault as a secrets management service from version 23.08.31.1. This page discusses how Arcion works with Azure Key Vault and the configuration for accessing the secrets.
Overview #
Arcion uses the concept of namespaces to authenticate with Azure Key Vault and access secrets in key vaults. You can define multiple namespaces, and have access to multiple key vaults and the secrets in those key vaults.
Authentication with Key Vault #
Arcion uses Azure Active Directory (Azure AD) authentication to authenticate with Azure Key Vault and access its secrets.
Arcion requires the following credentials to use Azure AD authentication:
- Tenant ID
- The unique identifier of the Azure AD instance. Specify the tenant ID with the
tenant-idparameter in the secrets management configuration file. - Client ID
- The unique identifier Azure AD assigns to Arcion. Specify the client ID with the
client-idparameter in the secrets management configuration file. - Client secret
- The secret key Arcion uses when communicating with Azure AD. Specify this secret key with the
client-secretparameter in the secrets management configuration file.
Configure Key Vault details #
You can optionally choose to use a YAML configuration file that specifies details about the secrets and how to retrieve them. Without the the secrets management configuration file, Arcion looks for authentication credentials in environment variables. For more information, see the Azure Key Vault tab in Configure secrets management details.
The configuration file contains the following parameters:
type
#
The secrets management service you’re using. For Azure Key Vault, set this to AZURE.
use-password-rotation
#
{true|false}.
Enables or disables password rotation.
Default: false.
cache-refresh-max-retries
#
The maximum number of cache retries Replicant performs to retrieve secrets from Azure Key Vault caching system.
Default: 20.
namespaces
#
Contains the following details:
- The key vault name in Azure Key Vault.
- The credentials necessary to access the secrets.
Arcion considers the first part of the key vault name a namespace. For example, consider the following two names and how Arcion interprets the corresponding namespaces in the secrets URI and the secrets management configuration file:
| Key vault name | Namespace |
|---|---|
mysql_src |
mysql_src |
mysql_prod/connection |
mysql_prod |
Under each namespaces definition, specify the authentication credentials so that Arcion can access the key vault. For example:
namespaces:
mysql_src:
tenant-id: TENANT_ID
client-id: CLIENT_ID
client-secret: CLIENT_SECRET
mysql_dst:
tenant-id: TENANT_ID
client-id: CLIENT_ID
client-secret: CLIENT_SECRET
Replace TENANT_ID, CLIENT_ID, and CLIENT_SECRET with the actual authentication credentials values.