Azure Key Vault¶
Valtix integrates with many secret management systems offered by public cloud providers to store the private keys corresponding to the certificates to be used in TLS decryption. This section goes over the steps needed to retrieve a stored private key in Azure Key Vault for a certificate. Valtix supports retrieval of private keys through Azure Key Vault: Secrets.
Azure Key Vault and User-assigned Managed Identities¶
Valtix uses a user assigned managed identity to access the Azure Key Vault secret. The following steps show how to create the Key Vault and how to grant the managed identity the necessary permissions to access the secret:
- Create a new User-assigned Managed Identity
- Create a new Key Vault e.g.
valtix-kv
- In the newly created Key Vault, go to Access Policies
- Select Add Access Policy
- Assign Secret permissions:
Get
- Select Principal
- Select the Managed Identity
- Staying on the Key Vault configuration, navigate to Access Control (IAM) -> Select Add -> Role Assignment
- Select Reader Role and Search for the Managed Identity in the Select field.
- Click Save
Storing Private Keys into Azure Key Vault Secrets¶
Import your private key for your secret into the secrets folder of the Azure Key Vault you had created in the previous section. Since the private key is a multi-line string, this can be imported via the Azure Cloud Shell
Start the Azure Cloud Shell and run the following command:
az keyvault secret set --file <privatekey file> --encoding ascii --vault-name <key vault name> --name <secret name>
The key file is created by simply creating a new file with a text editor (vi) in Azure Cloud Shell, pasting the contents of the private key and saving it.
Configuring Valtix Gateway with User-assigned Managed Identity¶
Prior to the following steps, you need to ensure that the Valtix Gateway deployed in Azure was configured with the user-managed identity specified in the previous steps.
Copy the Resource ID of the User-Managed Identity created in the previous step.
- Navigate to Managed Identities
- Click on the Managed Identity created for the Valtix Gateway
- Select Property
- Select the icon on the right side of the Resource ID field to copy the ID
- Paste this Resource ID in the Valtix Gateway configuration for your Azure Gateway under the User Assigned Identity ID field
Valtix configuration to retrieve Private Key¶
Prior to the following steps, ensure that the Valtix Gateway deployed in Azure was configured with the user-managed identity specified in the previous steps.
Paste the certificate body into the field associated with the private key in the Azure Key Vault secret
Once you have created the Valtix certificate, it can be used with a Decryption Profile when defining services in Valtix Controller.