How Do I Access Azure Key Vault Secrets? (Magic xpi 4.14)
Azure Key Vault is a Cloud service provided by Microsoft to securely store and access the secrets. You can add multiple secrets in the key vault. The Azure Key Vault integration lets you map these secrets directly to the Environment variables in xpi. With this you can now access secrets defined in Azure Key Vault services and merge them to the environment variables in the Magic xpi runtime.
To access Azure Key Vault secrets, follow the steps given below:
-
Define the following properties in the magic.ini under the [MAGIC_ENV] section manually. Changes done to the magic.ini will be applicable for all the projects. To use the Azure Key Vault for a specific project, do these changes in the ifs.ini for the required project.
|
|
|
|
|
ExternalVault
|
Required
|
Provide the value as 'A' for Azure key vault. If the value is provided as empty or blank, the external key vault will not be used and Magic xpi will use the values from the environment variables.
|
|
ExternalVaultName
|
Required
|
This is the name of the Key Vault which you have created in the Azure portal.
|
|
ExternalVaultClientSecret
|
Required
|
This is the Client secret value. You need to encrypt this value before adding it to the magic.ini or ifs.ini file. For this,
-
Navigate to the <Magic xpi Installation>\Tools\xpi_encrypt folder.
-
Open the command prompt under this folder and run the xpi_encrypt.bat
-
It will prompt you to provide a secret value to encrypt. Provide the Client Secret and click enter.
-
Magic xpi will write the encrypted Client Secrets into the EncryptedContent.txt file.This file is located under the <Magic xpi Installation>\runtime\Magic xpa folder.
-
Copy the encrypted result string from the command prompt and add it to the ExternalVaultClientSecret property in the magic.ini under the [MAGIC_ENV] section..
|
|
ExternalVaultTenantID
|
Required
|
It is a unique way to identify an Azure Active Directory instance to use Azure services. You can get this value when creating the Key Vault on the Azure portal.
|
|
ExternalVaultApplicationID
|
Required
|
It is the Client ID. You can get this value from the Azure portal.
|
|
AbortOnVaultError
|
Optional
|
Add this property to the [MAGIC_IBOLT] section of the ifs.ini file. The default and recommended value is N.
-
Value Y: The project will not start if the xpi runtime is not able to connect or authenticate to the Azure Key Vault.
-
Value N: The project will not be aborted and continue to run. It will log an error in both the activity log file and the ifs.log file.
|
|
|
Azure Key Vault secret values with Unicode characters are not supported at Magic xpi runtime.
|
-
When all these values are added start the Runtime engine.
Once the authentication to the Key Vault is successful, the runtime will load all the secrets from Azure Key Vault.
In case of unsuccessful authentication, an error will be logged into <projectname>_error.log and ifs.log on start-up.
-
To reload the secrets from the azure vault, you can use the ExternalVaultReload() function.
-
During xpi runtime the vault’s secret overrides the xpi's environment variable value i.e. for any environment variable with matching names in Azure, its values are updated with secrets retrieved from Azure Key Vault.
-
Any change done to secrets in the Key Vault will not be reflected in realtime under the xpi project runtime. The function ExternalVaultReload allows you to reload the values in runtime dynamically.
For example, if you are connected to any service or resource by using an environment variable with value as 'AA' and you change this value to 'BB' in the Key Vault, then the change in this value will not be reflected in the runtime until you reload the latest key vault secrets using the ExternalVaultReload function.
-
Since the Azure Key Vault values are retrieved at runtime, the values in the environment variables will be used for any operations in the Studio. For example, validating resources, and fetching metadata for services and resources.
Since version: 4.13.6
