Table of Contents
Introduction
Azure Key Vault is a service provided by Azure to manage secrets. Since 2023.02 all Delft-FEWS components that connect to the database with a JDBC URL can use Azure Key Vault to store the JDBC URL including the username and password as a secret.
It is required for a Virtual Machine or Container that runs in Azure to have a user assigned managed identiy. See: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities
The identity that is used has to be given permissions to access the Azure Key Vault where the secret is configured. Both the name of the Key Vault and the Secret name have to be provided to the Delft-FEWS Components using ENV variables.
Azure Configuration
In the following screenshot a keyvault with the name "fews-fss-scaling-kv" is shown that contains several secrets. In this case the secret called databaseUrlWIthUsernameAndPassword is used as an example.
The value of the databaseUrlWIthUsernameAndPassword secret is similar to:
jdbc:sqlserver://mydatabaseserver:1433;database=fewsfsscalingmc00;user=myuser;password=dymmy;encrypt=true;
So the secret contains a JDBC URL including the username and password required to connect to the database.
To be able to use the Key Vault integration in a Virtual Machine (or other Azure deployments that support user assigned identities, like Azure Kubernetes), the VM needs to be assigned a User assigned identiy.
In the following example one identity is assigned.
Key Vault Configuration
In Azure Key Vault, the user assigned identity has to be assigned the "Key Vault Secrets User". See the following example on how this can be done.
If the assigment was done correctly, it should look similar to this:
If not correctly assigned, you will get an error like:
"{"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=09325589-1bbf-4b3c-bce5-77ca17486d10;oid=d7bd2904-54bb-480c-8019-20fcf772cd1c;iss=https://sts.windows.net/15f3fe0e-d712-4981-bc7c-fe949af215bb/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/697b5160-f2bb-46a0-aec8-30a32e201ddd/resourcegroups/fews-fss-scaling/providers/microsoft.keyvault/vaults/fews-fss-scaling-kv/secrets/databaseurlwithusernameandpassword'\r\nAssignment: (not found)\r\nDenyAssignmentId: null\r\nDecisionReason: 'DeniedWithNoValidRBAC' \r\nVault: fews-fss-scaling-kv;location=westeurope\r\n","innererror":{"code":"ForbiddenByRbac"}}}" at com.azure.core.implementation.http.rest.RestProxyBase.instantiateUnexpectedException:345
Configure Delft-FEWS Components to use Azure Key Vault
Key Vault Environment variables follow the following convention.
*prefix*DATABASE_URL_SECRET_NAME
*prefix*AZURE_KEY_VAULT_NAME
prefix for MC and FSS is ALWAYS FEWS_
Admin Interface
Example ENV variables:
FEWS_AI_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_AI_AZURE_KEY_VAULT_NAME=fews-key-vault
Master Controller
Only prefix FEWS_ is supported. This means only one mc van be used per Virtual Machine and the MC subfolder will be created. Example ENV variables:
FEWS_DATABASE_URL_SECRET_NAME="databaseUrlWithUsernameAndPassword" FEWS_AZURE_KEY_VAULT_NAME="fews-key-vault"
Forecasting Shell Server
Only prefix FEWS_ is supported. Example ENV variables:
FEWS_FSS_INDEX_1_CLIENT_CONFIG_FILE_NAME="fss_clientConfig.xml" FEWS_FSS_INDEX_1_GROUP="linux" FEWS_DATABASE_URL_SECRET_NAME="databaseUrlWithUsernameAndPassword" FEWS_AZURE_KEY_VAULT_NAME="fews-key-vault"
Web Services
Example ENV variables:
FEWS_WS_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_WS_AZURE_KEY_VAULT_NAME=fews-key-vault
Database Proxy
Example ENV variables:
FEWS_DATABASE_URL_SECRET_NAME="databaseUrlWithUsernameAndPassword" FEWS_AZURE_KEY_VAULT_NAME="fews-key-vault"
Project Manager
Example ENV variables:
FEWS_PM_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_AZURE_KEY_VAULT_NAME=fews-key-vault
Global Properties
Azure Secrets can also be used in the global properties of a Forecasting Shell Server or the Web Services.
For example to configure a password that is required during an import, the property can be condfigured as follows:
importPassword=%SECRET(azureSecretName)%