...
To be able to use the Key Vault integration in a Virtual Machine (or other Azure deployments that support user assigned identities, like Azure Kubernetes), the VM needs to be assigned a User assigned identiy.
In the following example one it is shown how an identity is assigned to a virtual machine. This has to be done for each virtual machine that needs access to the key vault.
Key Vault Configuration
In Azure Key Vault, the user assigned identity has to be assigned the role: "Key Vault Secrets User". See the following example on how this can be done.
...
If not correctly assigned, you will get an error like when starting a Delft-FEWS component:
| Code Block |
|---|
"{"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=09325589-1bbf-4b3c-bce5-77ca17486d10;oid=d7bd2904-54bb-480c-8019-20fcf772cd1c;iss=https://sts.windows.net/15f3fe0e-d712-4981-bc7c-fe949af215bb/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/697b5160-f2bb-46a0-aec8-30a32e201ddd/resourcegroups/fews-fss-scaling/providers/microsoft.keyvault/vaults/fews-fss-scaling-kv/secrets/databaseurlwithusernameandpassword'\r\nAssignment: (not found)\r\nDenyAssignmentId: null\r\nDecisionReason: 'DeniedWithNoValidRBAC' \r\nVault: fews-fss-scaling-kv;location=westeurope\r\n","innererror":{"code":"ForbiddenByRbac"}}}" at com.azure.core.implementation.http.rest.RestProxyBase.instantiateUnexpectedException:345 |
...
Key Vault Environment variables follow the following convention.:
*prefix*DATABASE_URL_SECRET_NAME (name of the secret in the key vault)
*prefix*AZURE_KEY_VAULT_NAME (name of the keyvault)
*prefix*AZURE_KEY_VAULT_CLIENT_ID (client id of the managed identity that has access to the key vault. Only required if multiple identities have been assigned to a VM. For example a system assignd and a user assigned identity)
prefix for MC and FSS is ALWAYS FEWS_
The following is an example per component on how to configure these Azure Key Vault environment variables.
Admin Interface
Example ENV variables:
| Code Block |
|---|
FEWS_AI_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_AI_AZURE_KEY_VAULT_NAME=fews-fss-scaling-kv FEWS_AI_AZURE_KEY_VAULT_CLIENT_ID=my-optional-client-key-vaultid |
In case open id connect is used to login with the Admin Interface, it is also possible to get the client secret from the Azure Key Vault. This is possible since 2024.01.
The ENV variable FEWS_AI_AZURE_KEY_VAULT_NAME has to be set for this case as well. In case the secret that is used is named Oauth2ClientSecret in the key vault, the ENV variable FEWS_AI_AUTHENTICATION_OAUTH2_CLIENT_SECRET_NAME can be used to get the secret from the Azure Key Vault.
| Code Block |
|---|
FEWS_AI_AUTHENTICATION_OAUTH2_CLIENT_SECRET_NAME=Oauth2ClientSecret |
Master Controller
Only prefix FEWS_ is supported. This means only Only one mc van be used per Virtual Machine and the MC subfolder will be created. Example ENV variables:
| Code Block |
|---|
FEWS_DATABASE_URL_SECRET_NAME="databaseUrlWithUsernameAndPassword" FEWS_AZURE_KEY_VAULT_NAME="fews-key-vault"-fss-scaling-kv FEWS_AZURE_KEY_VAULT_CLIENT_ID=my-optional-client-id |
Forecasting Shell Server
Only prefix FEWS_ is supported. Example ENV variables:
| Code Block |
|---|
FEWS_FSS_INDEX_1_CLIENT_CONFIG_FILE_NAME="fss_clientConfig.xml" FEWS_FSS_INDEX_1_GROUP="linux" FEWS_DATABASE_URL_SECRET_NAME="databaseUrlWithUsernameAndPassword" FEWS_AZURE_KEY_VAULT_NAME="fews-keyfss-scaling-vault"kv" FEWS_AZURE_KEY_VAULT_CLIENT_ID=my-optional-client-id |
Web Services
Example ENV variables:
| Code Block |
|---|
FEWS_WS_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_WS_AZURE_KEY_VAULT_NAME=fews-key-vault-fss-scaling-kv FEWS_WS_AZURE_KEY_VAULT_CLIENT_ID=my-optional-client-id |
Database Proxy
Example ENV variables:
| Code Block |
|---|
FEWS_DATABASE_URL_SECRET_NAME="databaseUrlWithUsernameAndPassword" FEWS_AZURE_KEY_VAULT_NAME="fews-key-vault"fews-fss-scaling-kv FEWS_AZURE_KEY_VAULT_CLIENT_ID=my-optional-client-id |
In case open id connect is used to login with the Database Proxy, it is also possible to get the client secret from the Azure Key Vault. This is possible since 2024.01.
The ENV variable FEWS_AZURE_KEY_VAULT_NAME has to be set for this case as well. In case the secret that is used is named Oauth2ClientSecret in the key vault, the ENV variable FEWS_AI_AUTHENTICATION_OAUTH2_CLIENT_SECRET_NAME can be used to get the secret from the Azure Key Vault.
| Code Block |
|---|
FEWS_DATABASE_AUTHENTICATION_OAUTH2_CLIENT_SECRET_NAME=Oauth2ClientSecret |
Project Manager
Example ENV variables:
| Code Block |
|---|
FEWS_PM_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_AZURE_KEY_VAULT_NAME=fews-fss-scaling-kv FEWS_AZURE_KEY_VAULT_CLIENT_ID=my-optional-client-id |
For the project manager, it is also possible to get the client secret from the Azure Key Vault. This is possible since 2024.01.
The ENV variable FEWS_PM_AZURE_KEY_VAULT_NAME has to be set for this case as well. In case the secret that is used is named Oauth2ClientSecret in the key vault, the ENV variable FEWS_AI_AUTHENTICATION_OAUTH2_CLIENT_SECRET_NAME can be used to get the secret from the Azure Key Vault.
| Code Block |
|---|
FEWS_PM_AUTHENTICATION_OAUTH2_CLIENT_SECRET_NAME=Oauth2ClientSecret |
Archive Server
For an archive server that is configured with OIDC login, it is also possible to get the client secret from the Azure Key Vault. This is possible since 2024.01. In the archiveServerConfig.xml instead of using the clientSecret element, the clientSecretKeyVaultName should be used. For example:
| Code Block |
|---|
<arc:clientSecretKeyVaultName keyVault="fews-fss-scaling-kv">Oauth2FrontEndClientSecret</arc:clientSecretKeyVaultName>-vault |
Global Properties
Azure Secrets can also be used in the global properties of a Forecasting Shell Server or the Web Services.
...