Versions Compared

Old Version 13

changes.mady.by.user Rudie Ekkelenkamp

Saved on

compared with

New Version 14

changes.mady.by.user Rudie Ekkelenkamp

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To be able to use the Key Vault integration in a Virtual Machine (or other Azure deployments that support user assigned identities, like Azure Kubernetes), the VM needs to be assigned a User assigned identiy. 

In the following example one it is shown how an identity is assigned to a virtual machine. This has to be done for each virtual machine that needs access to the key vault.


Key Vault Configuration

In Azure Key Vault, the user assigned identity has to be assigned the role: "Key Vault Secrets User". See the following example on how this can be done.

...

If not correctly assigned, you will get an error like when starting a vews compoentDelft-FEWS component

Code Block
"{"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=09325589-1bbf-4b3c-bce5-77ca17486d10;oid=d7bd2904-54bb-480c-8019-20fcf772cd1c;iss=https://sts.windows.net/15f3fe0e-d712-4981-bc7c-fe949af215bb/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/697b5160-f2bb-46a0-aec8-30a32e201ddd/resourcegroups/fews-fss-scaling/providers/microsoft.keyvault/vaults/fews-fss-scaling-kv/secrets/databaseurlwithusernameandpassword'\r\nAssignment: (not found)\r\nDenyAssignmentId: null\r\nDecisionReason: 'DeniedWithNoValidRBAC' \r\nVault: fews-fss-scaling-kv;location=westeurope\r\n","innererror":{"code":"ForbiddenByRbac"}}}" at com.azure.core.implementation.http.rest.RestProxyBase.instantiateUnexpectedException:345

...

Key Vault Environment variables follow the following convention.:

*prefix*DATABASE_URL_SECRET_NAME
*prefix*AZURE_KEY_VAULT_NAME

prefix for MC and FSS is ALWAYS FEWS_

The following is an example per component on how to configure these Azure Key Vault environment variables.

Admin Interface

Example ENV variables:

...

Only prefix FEWS_ is supported. This means only Only one mc van be used per Virtual Machine and the MC subfolder will be created. Example ENV variables:

Code Block
FEWS_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword
FEWS_AZURE_KEY_VAULT_NAME=fews-fss-scaling-kv

...