Views:

Overview

This article shows how to securely store a secret in Azure Key Vault and how to retrieve a secret when required.  

North52 BPA Solution

The North52 BPA solution works like this:

  • A formula is created that will trigger whenever a workflow activates it
  • This formula will gather the Azure token using its client_id and client_secret
  • This formula will then use this token and the name of Secret to retrieve the Secret's value

Setup - Create App

  • Navigate to portal.azure.com and login to your Azure instance
  • Click on Azure Active Directory in the blade
  • Click on App Registration (Preview)
  • Click New registration
  • Give the App a name and leave everything else default
  • Click Register
  • From the Overview section make note of the Application ID and the Directory ID

Setup - Create Secret in App

  • From the App you created above, navigate to Certificates Secrets
  • Click New Client Secret
  • Give it a Description and set its expiry date
  • Click Add
  • Copy the Value of the secret and save it for later

Setup - Create Key Vault 

Still inside your Azure instance, navigate to your resource group: 

  • Click Add
  • Search for Key Vault
  • Click and Create the Key Vault
  • Give it a Name
  • For Resource Group, select the resource group you want
  • Set the Location to the appropriate place
  • Click Access policies and then Add new
  • Select the template Secret Management 
  • Click on Select principal and search for your App
  • Click on it and then click on Select
  • Click Ok > Ok > Create

Setup - Create Secret in Key Vault

  • From inside Key Vault click on Secrets
  • Click Generate/Import
  • Give it a Name 
    • In this example we will call it north52keyvaultsecret
  • Give it a Value
    • In this example we will give it the value Hello World
  • Click Create
  • Double click the Secret you just created and copy the Secret Identifier for later
    • In this example its https://north52keyvault.vault.azure.net/secrets/north52keyvaultsecret/13fc6b92e522405983914c4681dfad1c
  • Make note of the Name you have given it for later

Setup Formula

  • Navigate to Settings > N52 Formula
  • Create a new formula, setting the following values in the Formula Guide:
    • Source Entity set to Account
    • Set Formula Type to Process Genie
    • Select the Classic editor
    • Change the Name of the formula to Securely store and retrieve and retrieve a secret in Azure Keyvaults
  • Copy and paste the following into the Classic editor (Note: you will need to change the parameters inside AzureKeyVaultGetSecret and the 1st, 3rd and 4th parameters inside AzureADGetTokenV2 with your own Azure details)
    SmartFlow(
    
      SetVar('token',
        AzureADgetTokenv2('36bb5c97-2970-43e7-9378-XXXXXXXXXXX', 
                          SetRequestParams('scope', 'https://vault.azure.net/.default',
                            'client_id', 'a2c8d8cd-0091-4aec-9701-XXXXXXXXX',
                            'client_secret', '^}S}_.b@#}]=/}*[+#]^/q$!]{>[}?_]#n>]!3*!+m]+/?]]>!XXXXXXX--/%',
                            'grant_type', 'client_credentials'))),
    
      AzureKeyVaultGetSecret( GetVar('token'), 'https://north52keyvault.vault.azure.net/secrets/north52keyvaultsecret/13fc6b92e52240598391XXXXXXXXXXXXXXX?api-version=2016-10-01') ,
    
      GetVarJsonValue('value') 
    ) 
    
    
  • Click Save

Test 

Within the Formula editor click the lightning bolt button on the right hand side and click Execute. You will see the secret displayed like below. 

Note: Ignore any prompts for input you may get - this is caused by the secret containing square brackets and does not affect the formula 

Did you know?

North52 helps you automatically test Dynamics 365 projects

North52's TestShield helps you test Dynamics 365 projects:

  • FASTER - Our no code solution delivers automated CRM project testing faster
  • EASIER - Simple to use point-and-click interface to build simple or complex testing plans
  • SMARTER - Lower your project risk and slash ongoing costs with automated process testing

Learn more about TestShield