Table of Contents
Introduction
Azure Key Vault is a service provided by Azure to manage secrets. Since 2023.02 all Delft-FEWS components that connect to the database with a JDBC URL can use Azure Key Vault to store the JDBC URL including the username and password as a secret.
It is required for a Virtual Machine or Container that runs in Azure to have a user assigned managed identiy. See: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities
The identity that is used has to be given permissions to access the Azure Key Vault where the secret is configured. Both the name of the Key Vault and the Secret name have to be provided to the Delft-FEWS Components using ENV variables.
Azure Configuration
In the following screenshot a keyvault with the name "fews-fss-scaling-kv" is shown that contains several secrets. In this case the secret called databaseUrlWIthUsernameAndPassword is used as an example.
The value of the databaseUrlWIthUsernameAndPassword secret is similar to:
jdbc:sqlserver://mydatabaseserver:1433;database=fewsfsscalingmc00;user=myuser;password=dymmy;encrypt=true;
So the secret contains a JDBC URL including the username and password required to connect to the database.
To be able to use the Key Vault integration in a Virtual Machine (or other Azure deployments that support user assigned identities, like Azure Kubernetes), the VM needs to be assigned a User assigned identiy.
In the following example it is shown how an identity is assigned to a virtual machine. This has to be done for each virtual machine that needs access to the key vault.
Key Vault Configuration
In Azure Key Vault, the user assigned identity has to be assigned the role: "Key Vault Secrets User". See the following example on how this can be done.
If the assigment was done correctly, it should look similar to this:
If not correctly assigned, you will get an error like when starting a Delft-FEWS component:
"{"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=09325589-1bbf-4b3c-bce5-77ca17486d10;oid=d7bd2904-54bb-480c-8019-20fcf772cd1c;iss=https://sts.windows.net/15f3fe0e-d712-4981-bc7c-fe949af215bb/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/697b5160-f2bb-46a0-aec8-30a32e201ddd/resourcegroups/fews-fss-scaling/providers/microsoft.keyvault/vaults/fews-fss-scaling-kv/secrets/databaseurlwithusernameandpassword'\r\nAssignment: (not found)\r\nDenyAssignmentId: null\r\nDecisionReason: 'DeniedWithNoValidRBAC' \r\nVault: fews-fss-scaling-kv;location=westeurope\r\n","innererror":{"code":"ForbiddenByRbac"}}}" at com.azure.core.implementation.http.rest.RestProxyBase.instantiateUnexpectedException:345
Configure Delft-FEWS Components to use Azure Key Vault
Key Vault Environment variables follow the following convention:
*prefix*DATABASE_URL_SECRET_NAME (name of the secret in the key vault)
*prefix*AZURE_KEY_VAULT_NAME (name of the keyvault)
*prefix*AZURE_KEY_VAULT_CLIENT_ID (client id of the managed identity that has access to the key vault. Only required if multiple identities have been assigned to a VM. For example a system assignd and a user assigned identity)
prefix for MC and FSS is ALWAYS FEWS_
The following is an example per component on how to configure these Azure Key Vault environment variables.
Admin Interface
Example ENV variables:
FEWS_AI_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_AI_AZURE_KEY_VAULT_NAME=fews-fss-scaling-kv FEWS_AI_AZURE_KEY_VAULT_CLIENT_ID=my-optional-client-id
In case open id connect is used to login with the Admin Interface, it is also possible to get the client secret from the Azure Key Vault. This is possible since 2024.01.
The ENV variable FEWS_AI_AZURE_KEY_VAULT_NAME has to be set for this case as well. In case the secret that is used is named Oauth2ClientSecret in the key vault, the ENV variable FEWS_AI_AUTHENTICATION_OAUTH2_CLIENT_SECRET_NAME can be used to get the secret from the Azure Key Vault.
FEWS_AI_AUTHENTICATION_OAUTH2_CLIENT_SECRET_NAME=Oauth2ClientSecret
Master Controller
Only prefix FEWS_ is supported. Only one mc van be used per Virtual Machine. Example ENV variables:
FEWS_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_AZURE_KEY_VAULT_NAME=fews-fss-scaling-kv FEWS_AZURE_KEY_VAULT_CLIENT_ID=my-optional-client-id
Forecasting Shell Server
Only prefix FEWS_ is supported. Example ENV variables:
FEWS_FSS_INDEX_1_CLIENT_CONFIG_FILE_NAME=fss_clientConfig.xml FEWS_FSS_INDEX_1_GROUP=linux FEWS_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_AZURE_KEY_VAULT_NAME="fews-fss-scaling-kv" FEWS_AZURE_KEY_VAULT_CLIENT_ID=my-optional-client-id
Web Services
Example ENV variables:
FEWS_WS_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_WS_AZURE_KEY_VAULT_NAME=fews-fss-scaling-kv FEWS_WS_AZURE_KEY_VAULT_CLIENT_ID=my-optional-client-id
Database Proxy
Example ENV variables:
FEWS_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_AZURE_KEY_VAULT_NAME=fews-fss-scaling-kv FEWS_AZURE_KEY_VAULT_CLIENT_ID=my-optional-client-id
In case open id connect is used to login with the Database Proxy, it is also possible to get the client secret from the Azure Key Vault. This is possible since 2024.01.
The ENV variable FEWS_AZURE_KEY_VAULT_NAME has to be set for this case as well. In case the secret that is used is named Oauth2ClientSecret in the key vault, the ENV variable FEWS_AI_AUTHENTICATION_OAUTH2_CLIENT_SECRET_NAME can be used to get the secret from the Azure Key Vault.
FEWS_DATABASE_AUTHENTICATION_OAUTH2_CLIENT_SECRET_NAME=Oauth2ClientSecret
Project Manager
Example ENV variables:
FEWS_PM_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_AZURE_KEY_VAULT_NAME=fews-fss-scaling-kv FEWS_AZURE_KEY_VAULT_CLIENT_ID=my-optional-client-id
For the project manager, it is also possible to get the client secret from the Azure Key Vault. This is possible since 2024.01.
The ENV variable FEWS_PM_AZURE_KEY_VAULT_NAME has to be set for this case as well. In case the secret that is used is named Oauth2ClientSecret in the key vault, the ENV variable FEWS_AI_AUTHENTICATION_OAUTH2_CLIENT_SECRET_NAME can be used to get the secret from the Azure Key Vault.
FEWS_PM_AUTHENTICATION_OAUTH2_CLIENT_SECRET_NAME=Oauth2ClientSecret
Archive Server
For an archive server that is configured with OIDC login, it is also possible to get the client secret from the Azure Key Vault. This is possible since 2024.01. In the archiveServerConfig.xml instead of using the clientSecret element, the clientSecretKeyVaultName should be used. For example:
<arc:clientSecretKeyVaultName keyVault="fews-fss-scaling-kv">Oauth2FrontEndClientSecret</arc:clientSecretKeyVaultName>
Global Properties
Azure Secrets can also be used in the global properties of a Forecasting Shell Server or the Web Services.
For example to configure a password that is required during an import, the property can be condfigured as follows:
importPassword=%SECRET(azureSecretName)%
