Overview
This article shows how to securely store a secret in Azure Key Vault and how to retrieve a secret when required.
North52 Decision Suite
The North52 Decision Suite solution works like this:
- A formula is created that will trigger whenever a workflow activates it
- This formula will gather the Azure token using its client_id and client_secret
- This formula will then use this token and the name of Secret to retrieve the Secret's value
Setup - Create App
- Navigate to portal.azure.com and login to your Azure instance
- Click on Azure Active Directory in the blade
- Click on App Registration (Preview)
- Click New registration
- Give the App a name and leave everything else default
- Click Register
- From the Overview section make note of the Application ID and the Directory ID
Setup - Create Secret in App
- From the App you created above, navigate to Certificates & Secrets
- Click New Client Secret
- Give it a Description and set its expiry date
- Click Add
- Copy the Value of the secret and save it for later
Setup - Create Key Vault
Still inside your Azure instance, navigate to your resource group:
- Click Add
- Search for Key Vault
- Click and Create the Key Vault
- Give it a Name
- For Resource Group, select the resource group you want
- Set the Location to the appropriate place
- Click Access policies and then Add new
- Select the template Secret Management
- Click on Select principal and search for your App
- Click on it and then click on Select
- Click Ok > Ok > Create
Setup - Create Secret in Key Vault
- From inside Key Vault click on Secrets
- Click Generate/Import
- Give it a Name
- In this example we will call it north52keyvaultsecret
- Give it a Value
- In this example we will give it the value Hello World
- Click Create
- Double click the Secret you just created and copy the Secret Identifier for later
- In this example its https://north52keyvault.vault.azure.net/secrets/north52keyvaultsecret/13fc6b92e522405983914c4681dfad1c
- Make note of the Name you have given it for later
Setup Formula
- Navigate to Settings > N52 Formula
- Create a new formula, setting the following values in the Formula Guide:
- Source Entity set to Account
- Set Formula Type to Process Genie
- Select the Classic editor
- Change the Name of the formula to Securely store and retrieve and retrieve a secret in Azure Keyvaults
- Copy and paste the following into the Classic editor (Note: you will need to change the parameters inside AzureKeyVaultGetSecret and the 1st, 3rd and 4th parameters inside AzureADGetTokenV2 with your own Azure details)
SmartFlow( SetVar('token', AzureADgetTokenv2('36bb5c97-2970-43e7-9378-XXXXXXXXXXX', SetRequestParams('scope', 'https://vault.azure.net/.default', 'client_id', 'a2c8d8cd-0091-4aec-9701-XXXXXXXXX', 'client_secret', '^}S}_.b@#}]=/}*[+#]^/q$!]{>[}?_]#n>]!3*!+m]+/?]]>!XXXXXXX--/%', 'grant_type', 'client_credentials'))), AzureKeyVaultGetSecret( GetVar('token'), 'https://north52keyvault.vault.azure.net/secrets/north52keyvaultsecret/13fc6b92e52240598391XXXXXXXXXXXXXXX?api-version=2016-10-01') , GetVarJsonValue('value') ) - Click Save
Test
Within the Formula editor click the lightning bolt button on the right hand side and click Execute. You will see the secret displayed like below.
Note: Ignore any prompts for input you may get - this is caused by the secret containing square brackets and does not affect the formula
