How to integrate the Segura® Platform DevOps Secret Manager and the Azure Key Vault

This guide explains how to integrate Azure Key Vault with Segura® Platform to manage and automatically rotate secrets for cloud-native applications. This integration increases security by keeping secrets out of application codes and ensuring they are regularly updated by Segura® Platform.

Prerequisites

Before you begin, ensure you have the following:

• Segura® Platform version 3.29 is installed with the PAM Core and DevOps Secret Manager modules.
• A secret to manage.
  • In this example, it will use a MongoDB database credential on an Ubuntu 20.04 instance running MongoDB 7.0.2.
• The MongoDB example requires network connectivity on TCP port 27017.
• The same secret is already provisioned in your Azure Key Vault.
  • The automated process will update the password for this existing secret.
• The following are Azure connection details:
  • Tenant ID.
  • Subscription ID.
  • Client ID.
  • Client Secret.
  • Resource Group Name.
  • Key Vault Name.

Integrate Segura® Platform DevOps Secret Manager and Azure Key Vault

The integration process requires some steps to be completed.

1. Register the managed account by creating a new device authenticator in Segura® Platform that represents the system hosting the secret.
   1. For example, the MongoDB server.
2. Create the corresponding credential and configure a template for password rotation.
   1. For example, the MongoDB template.
3. Configure the password management by establishing rotation policies.
   1. For example: frequency in days, specific times, days of the week, expiration options based on time or exposure
   2. This is important because it ensures that Segura® Platform automatically rotates the credential password according to the defined schedule.
4. Ensure that the secret managed by Segura® Platform is already created and available in your Azure Key Vault so that subsequent automation can update its password.
5. Set up the Segura® Platform’s DevOps Secret Manager scope by defining a logical grouping or context within the DevOps Secret Manager module for managing secrets related to Azure Key Vault.
6. Create the Azure Key Vault application in Segura® Platform’s DevOps Secret Manager by registering a new application that represents your Azure Key Vault instance, providing a name or identifier.
7. Add the managed credential as a secret in DevOps Secret Manager by linking the PAM Core managed credential to the DevOps Secret Manager module, and configure the Azure environment details for the parameter injection template.
   1. The parameters are Tenant, Subscription, Client ID, Client Secret, Resource Group, and Key Vault Name.
8. Create the Azure URI in Segura® Platform’s PAM Core by configuring the URI of your Azure Key Vault as a new device, ensuring it serves as the target address for the Segura® Platform connection to the Azure Key Vault API.
   1. Note that the associated credential is mandatory but not used for the API connection.
9. Automate the password injection into Azure Key Vault by configuring an automation that triggers after a password rotation in Segura® Platform, connecting to Azure Key Vault to update the corresponding secret using the appropriate plugin and template.
   1. Specify the Azure Key Vault URI and its associated credential.
10. Verify the synchronization by ensuring that after each password rotation in Segura® Platform, the automation triggers correctly and updates the secret in Azure Key Vault, confirming that the password value in both systems is identical.
11. Access the Access Policies section within the Azure Key Vault environment and grant the following permissions to the secret you created: Get, List, Set, Delete, Retrieve, and Backup.

By completing these steps, you have successfully integrated Segura® Platform and Azure Key Vault. This integration ensures that secrets stored in Azure Key Vault benefit from the periodic and automated password rotation capabilities of Segura® Platform, enhancing the security of cloud-native applications that rely on Azure Key Vault for their secrets. Segura® Platform manages the secret's lifecycle, while Azure Key Vault is the application-facing secret store.