Setting up Azure Key Vault
This page details how to set up and configure an Azure Key Vault for use with Tessera.
The Microsoft Azure documentation provides much of the information needed to get started. The information in this section has been taken from the following pages of the Azure documentation:
Creating the vault¶
Using the portal¶
- Login to the Azure Portal
Create a resourcefrom the sidebar
- Search for, and select,
- Fill out the necessary fields, including choosing a suitable name and location (the list of possible locations can be found using the Azure CLI, see below), and click
Using the CLI¶
Login to Azure using the Azure CLI
Create a resource group, choosing a suitable name and location
az group create --name <rg-name> --location <location>
To view a list of possible locations use the command
az account list-locations
Create the Key Vault, choosing a suitable name and location and referencing the resource group created in the previous stepA Key Vault has now been created that can be used to store secrets.
az keyvault create --name <kv-name> --resource-group <rg-name> --location <location>
Configuring the vault to work with Tessera¶
Azure uses an Active Directory system to grant access to services. We will create an ‘application’ that we will authorise to use the vault. We will provide the credentials created as a result of this to authenticate our Tessera instance to use the key vault.
In order for the vault to be accessible by Tessera, the following steps must be carried out:
- Log in to the Azure Portal
Azure Active Directoryfrom the sidebar
New application registrationand complete the registration process. Make note of the
- Once registered, click
Keys, and create a new key with a suitable name and expiration rule. Once the key has been saved make note of the key value - this is the only opportunity to see this value!
To authorise the newly registered app to use the Key Vault complete the following steps:
All servicesfrom the sidebar and select
- Select the vault
- Search for and select the newly registered application as the
- Enable the
Enabling Tessera to use the vault¶
If using an Azure Key Vault, Tessera requires two environment variables to be set:
AZURE_CLIENT_SECRET: The application registration
Both of these values can be retrieved during the application registration process as outlined above.
The Azure dependencies are included in the
tessera-app-<version>-app.jar. If using the
azure-key-vault-<version>-all.jar must be added to the classpath.