Creating Secrets in Azure Key Vault

A connector uses a secret to connect Apono to resources without storing any credentials. For Azure-based integrations, secrets are created and managed through the Azure Key Vault.

You can create an Azure secret through the Azure CLI.



Azure CLI

This method uses the Azure CLI to provide a streamlined, secure pathway to manage your secrets for resource integration via an Apono connector.

πŸ’‘

As an alternative, you can create a secret via your Azure portal.


Prerequisites

ItemsNotes
Azure Key VaultAzure solution for securely storing secrets, key management, and certificate management
Azure Command Line Interface (Azure CLI)Open source tool enabling interacting with AWS services using commands in your command-line shell available from Microsoft
Integration CredentialsCredentials for the instance of the integration

CLI Secret Creation

Use the following steps to create a secret through the Azure CLI

  1. Copy the following command into a text editor and edit the values.

    az keyvault secret set \
    --vault-name "#KEYVAULT_NAME" \
    --name "apono-mysql-user" \
    --value '{"username": "USERNAME", "password": "PASSWORD"}'
    

    ParameterDescription
    --nameName of the secret
    --valuePlain text secret value

    Credentials for the instance of the integration in a JSON format
    --vault-nameName of the Vault.

    πŸ“˜

    For more information about each property of the command, see az keyvault secret set.


  1. In the command-line interface of your local machine, paste and run the edited command. When the secret is successfully generated, the secret will be listed in and can be managed from your Key vault in your Azure portal.

You can now grant permission to the Apono connector to read the secret.



Grant connector read access to secret

  1. From the Azure Key vaults list page in your , open the key vault containing the the secret you created.
  2. In the side navigation under Settings, click Access Configuration. The Access configuration page appears.
  3. Grant read access to the secret based on how the key vault is configured: Azure role-based access control or Vault access policy.

Azure role-based access control

🚧

If any of the following steps do not match your Azure portal, please refer to Azure's Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control article.



Use the following steps to grant the Apono connector read access to the secret:

  1. Click Go to access control(IAM). The Access control (IAM) page appears.
  2. Click Add > Add role assignment.
  3. In the search bar, search for Key Vault Secrets User.
  4. Select the role.
  5. Click Next.
  6. On the Members tab under Members, click + Select members. The Select members panel appears.
  7. In the Select search bar, search for your Apono connector ID, for example apono-connector.
  8. Choose the Apono connector ID.
  9. Click Select. The panel closes.
  10. Click Review + assign to review the role assignment.
  11. Click Review + assign.



Vault access policy

🚧

If any of the following steps do not match your Azure portal, please refer to Azure's Assign a Key Vault access policy (legacy) article.



Use the following steps to grant the Apono connector read access to the secret:

  1. Click Go to access policies.
  2. Click + Create.
  3. Under Secret permissions, select only Get.
  4. Click Next.
  5. On the Principal tab in the search bar, search for your Apono connector ID, for example apono-connector.
  6. Choose the Apono connector ID.
  7. Click Next to review the access policy.
  8. Click Create.