Views:

Overview

This article shows how to securely store a secret in Azure Key Vault and how to retrieve a secret when required.  

North52 BPA Solution

The North52 BPA solution works like this:

  • A formula is created that will trigger whenever a workflow activates it
  • This formula will gather the Azure token using its client_id and client_secret
  • This formula will then use this token and the name of Secret to retrieve the Secret's value

Setup - Create App

  • Navigate to portal.azure.com and login to your Azure instance
  • Click on Azure Active Directory in the blade
  • Click on App Registration (Preview)
  • Click New registration
  • Give the App a name and leave everything else default
  • Click Register
  • From the Overview section make note of the Application ID and the Directory ID

Setup - Create Secret in App

  • From the App you created above, navigate to Certificates Secrets
  • Click New Client Secret
  • Give it a Description and set its expiry date
  • Click Add
  • Copy the Value of the secret and save it for later

Setup - Create Key Vault 

Still inside your Azure instance, navigate to your resource group: 

  • Click Add
  • Search for Key Vault
  • Click and Create the Key Vault
  • Give it a Name
  • For Resource Group, select the resource group you want
  • Set the Location to the appropriate place
  • Click Access policies and then Add new
  • Select the template Secret Management 
  • Click on Select principal and search for your App
  • Click on it and then click on Select
  • Click Ok > Ok > Create

Setup - Create Secret in Key Vault

  • From inside Key Vault click on Secrets
  • Click Generate/Import
  • Give it a Name 
    • In this example we will call it north52keyvaultsecret
  • Give it a Value
    • In this example we will give it the value Hello World
  • Click Create
  • Double click the Secret you just created and copy the Secret Identifier for later
    • In this example its https://north52keyvault.vault.azure.net/secrets/north52keyvaultsecret/13fc6b92e522405983914c4681dfad1c
  • Make note of the Name you have given it for later

Setup Formula

  • Navigate to Settings > N52 Formula
  • Create a new formula, setting the following values in the Formula Guide:
    • Source Entity set to Account
    • Set Formula Type to Process Genie
    • Select the Classic editor
    • Change the Name of the formula to Securely store and retrieve and retrieve a secret in Azure Keyvaults
  • Copy and paste the following into the Classic editor (Note: you will need to change the parameters inside AzureKeyVaultGetSecret and the 1st, 3rd and 4th parameters inside AzureADGetTokenV2 with your own Azure details)
    SmartFlow(
    
      SetVar('token',
        AzureADgetTokenv2('36bb5c97-2970-43e7-9378-XXXXXXXXXXX', 
                          SetRequestParams('scope', 'https://vault.azure.net/.default',
                            'client_id', 'a2c8d8cd-0091-4aec-9701-XXXXXXXXX',
                            'client_secret', '^}S}_.b@#}]=/}*[+#]^/q$!]{>[}?_]#n>]!3*!+m]+/?]]>!XXXXXXX--/%',
                            'grant_type', 'client_credentials'))),
    
      AzureKeyVaultGetSecret( GetVar('token'), 'https://north52keyvault.vault.azure.net/secrets/north52keyvaultsecret/13fc6b92e52240598391XXXXXXXXXXXXXXX?api-version=2016-10-01') ,
    
      GetVarJsonValue('value') 
    ) 
    
    
  • Click Save

Test 

Within the Formula editor click the lightning bolt button on the right hand side and click Execute. You will see the secret displayed like below. 

Note: Ignore any prompts for input you may get - this is caused by the secret containing square brackets and does not affect the formula