# Azure Key Vault Azure Key Vault is a cloud service for securely storing and accessing secrets like API keys, passwords, certificates, and cryptographic keys. This guide will walk you through how to integrate Key Vault with StrongDM and use the secret store integration to connect to resources. Secret store integrations allow you to use your existing third-party secret stores with StrongDM. Your credentials are stored in a service that is controlled by you, and those credentials are never transmitted to StrongDM in any form. If you would like to learn more about how the Secret Store integration works and why you might wish to use it, please read the [Secret Stores Reference](https://docs.strongdm.com/admin/access/secret-stores). {% hint style="info" %} Azure Key Vault has the object types “Keys,” “Secrets,” and “Certificates.” StrongDM only supports the use of the “Secrets” type. However, you can store Base64-encoded certificates or keys in Azure Key Vault with the “Secrets” object type and retrieve them using StrongDM to access resources. {% endhint %} ### Prerequisites Make sure you are an account administrator in StrongDM. In your Microsoft Entra (formerly Azure AD) permissions, your account must have a role that’s allowed to manage the Key Vault and assign a managed identity to a VM. In your Azure subscription, your account must have the Owner role or User Access Administrator role. See [Microsoft’s documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) for more information on requirements for Microsoft Entra permissions and Azure subscription permissions. Without proper permissions, you will not be able to create/register an application. ### Steps #### Set up Key Vault **Create a Key Vault in Azure** If you haven’t already established a Key Vault, create one now. If you already have one, skip to the next step, [Update access policies](#update-key-vault-access-policies). 1. From either the Azure portal menu or the Home page, click **Create a resource**. 2. Search for **Key Vault**, and from the search results list, select **Key Vault**. 3. In the **Key Vault** section, click **Create**. 4. Set the following Key Vault properties: * **Name:** Enter a unique name for the vault. * **Subscription:** Select a subscription. * **Resource Group:** Select **Create new** and enter a resource group name. * **Location:** Select a location from the pull-down menu. * Keep the other options at their defaults. 5. Click **Next: Access Policy**. 6. Select **Azure role-based access control**. 7. Click **Next: Networking** and ensure that the networking is configured so that the Gateway/Relay can access the vault. 8. Select **Review + create**, make sure it looks OK, and then click **Create**. 9. Once the deployment is complete, select **go to resource**. 10. Note your Vault Name and Vault URI (e.g., `https://contoso-vault2.vault.azure.net/`), which will be viewable after the application has been created on the **Overview** section of the Vault. #### Set up access to Key Vault There are several ways to authenticate with Azure Key Vault. One of these needs to be configured in order to allow your Gateway to authenticate with the Key Vault and retrieve credentials. In this configuration guide, you will use your VM's Managed Identity. * Managed Identity (this is the method recommended by StrongDM) * Service Principal * App Registration **Create a StrongDM gateway in Azure** 1. Create an Ubuntu 20.03 Azure VM. 2. Give the VM your SSH public key. 3. Once the VM is created, [install a Relay](https://docs.strongdm.com/admin/networking/gateways-and-relays) on the machine. **Enable the VM's managed identity** 1. Select your new Azure VM in the Azure UI. 2. In the sidebar, under **Settings**, select **Identity**. 3. Toggle the system-assigned managed identity status to **On** and save. #### Update Key Vault access policies You need to update the Key Vault's Access Control (IAM) to allow whatever Azure user(s) or group(s) you require, as well as allow access for the managed identity of the Gateway you just created. You can learn more about this in Azure's [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) documentation. #### Configure the Secret Store with the Admin UI Once you have Key Vault set up, credentials stored, and your relay server able to access said credentials, it's time to integrate the secret store with StrongDM. **Add secret store** 1. In the StrongDM Admin UI, go to **Settings** > **Secrets Management** and to the **Secret Stores** tab. 2. Click **Add secret store**. 3. On the **Add Secret Store** form that displays, set: * **Display Name:** Enter a name for this secret store integration. This name will be displayed in the Admin UI. * **Secret Store Type:** Select **Azure Key Vault**. * **Vault URI:** Set the URI of your Key Vault (e.g., `https://.vault.azure.net/`). 4. Click **Create secret store**. If you've configured the Relay server correctly for secret store access and authorization, you will see the green online indicator. **Add a resource, grant access to it, and test the connection** Now, [create a resource](https://docs.strongdm.com/admin/resources/add-resources-secret-stores) that uses the secret store, grant access to it, and verify that you can connect. 1. In the Admin UI, add a new resource, such as a Server or Datasource, and choose the **Azure Key Vault** Secret Store type. 2. Fill out the information for a resource whose credentials you have stored in your secret store. 3. Select the Azure Key Vault secret store you created for the Secret Store field, and then fill in the path to the secrets that you've stored in your secret store. 4. Submit the form. 5. [Grant access](https://docs.strongdm.com/admin/access) to a User so that they can use the resource. 6. Log in as that User in your local GUI (or have the User do so, if not yours). 7. Verify that the resource exists, test a connection, and execute a query. Congratulations, you've connected to a resource using secret stores. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/access/secret-stores/azure-key-vault.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.