...
To be able to use the Key Vault integration in a Virtual Machine (or other Azure deployments that support user assigned identities, like Azure Kubernetes), the VM needs to be assigned a User assigned identiy.
In the following example one it is shown how an identity is assigned to a virtual machine. This has to be done for each virtual machine that needs access to the key vault.
Key Vault Configuration
In Azure Key Vault, the user assigned identity has to be assigned the role: "Key Vault Secrets User". See the following example on how this can be done.
...
If not correctly assigned, you will get an error like when starting a vews compoentDelft-FEWS component:
Code Block |
---|
"{"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=09325589-1bbf-4b3c-bce5-77ca17486d10;oid=d7bd2904-54bb-480c-8019-20fcf772cd1c;iss=https://sts.windows.net/15f3fe0e-d712-4981-bc7c-fe949af215bb/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/697b5160-f2bb-46a0-aec8-30a32e201ddd/resourcegroups/fews-fss-scaling/providers/microsoft.keyvault/vaults/fews-fss-scaling-kv/secrets/databaseurlwithusernameandpassword'\r\nAssignment: (not found)\r\nDenyAssignmentId: null\r\nDecisionReason: 'DeniedWithNoValidRBAC' \r\nVault: fews-fss-scaling-kv;location=westeurope\r\n","innererror":{"code":"ForbiddenByRbac"}}}" at com.azure.core.implementation.http.rest.RestProxyBase.instantiateUnexpectedException:345 |
...
Key Vault Environment variables follow the following convention.:
*prefix*DATABASE_URL_SECRET_NAME
*prefix*AZURE_KEY_VAULT_NAME
prefix for MC and FSS is ALWAYS FEWS_
The following is an example per component on how to configure these Azure Key Vault environment variables.
Admin Interface
Example ENV variables:
...
Only prefix FEWS_ is supported. This means only Only one mc van be used per Virtual Machine and the MC subfolder will be created. Example ENV variables:
Code Block |
---|
FEWS_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_AZURE_KEY_VAULT_NAME=fews-fss-scaling-kv |
...