Table of Contents
Introduction
Azure Key Vault is a service provided by Azure to manage secrets. Since 2023.02 all Delft-FEWS components that connect to the database with a JDBC URL can use Azure Key Vault to store the JDBC URL including the username and password as a secret.
It is required for a Virtual Machine or Container that runs in Azure to have a user assigned managed identiy. See: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities
The identity that is used has to be given permissions to access the Azure Key Vault where the secret is configured. Both the name of the Key Vault and the Secret name have to be provided to the Delft-FEWS Components using ENV variables.
Azure Configuration
In the following screenshot a keyvault with the name "fews-fss-scaling-kv" is shown that contains several secrets. In this case the secret called databaseUrlWIthUsernameAndPassword is used as an example.
The value of the databaseUrlWIthUsernameAndPassword secret is similar to:
jdbc:sqlserver://mydatabaseserver:1433;database=fewsfsscalingmc00;user=myuser;password=dymmy;encrypt=true;
So the secret contains a JDBC URL including the username and password required to connect to the database.
To be able to use the Key Vault integration in a Virtual Machine (or other Azure deployments that support user assigned identities, like Azure Kubernetes), the VM needs to be assigned a User assigned identiy.
In the following example it is shown how an identity is assigned to a virtual machine. This has to be done for each virtual machine that needs access to the key vault.
Key Vault Configuration
In Azure Key Vault, the user assigned identity has to be assigned the role: "Key Vault Secrets User". See the following example on how this can be done.
If the assigment was done correctly, it should look similar to this:
If not correctly assigned, you will get an error like when starting a Delft-FEWS component:
"{"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=09325589-1bbf-4b3c-bce5-77ca17486d10;oid=d7bd2904-54bb-480c-8019-20fcf772cd1c;iss=https://sts.windows.net/15f3fe0e-d712-4981-bc7c-fe949af215bb/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/697b5160-f2bb-46a0-aec8-30a32e201ddd/resourcegroups/fews-fss-scaling/providers/microsoft.keyvault/vaults/fews-fss-scaling-kv/secrets/databaseurlwithusernameandpassword'\r\nAssignment: (not found)\r\nDenyAssignmentId: null\r\nDecisionReason: 'DeniedWithNoValidRBAC' \r\nVault: fews-fss-scaling-kv;location=westeurope\r\n","innererror":{"code":"ForbiddenByRbac"}}}" at com.azure.core.implementation.http.rest.RestProxyBase.instantiateUnexpectedException:345
Configure Delft-FEWS Components to use Azure Key Vault
Key Vault Environment variables follow the following convention:
*prefix*DATABASE_URL_SECRET_NAME
*prefix*AZURE_KEY_VAULT_NAME
prefix for MC and FSS is ALWAYS FEWS_
The following is an example per component on how to configure these Azure Key Vault environment variables.
Admin Interface
Example ENV variables:
FEWS_AI_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_AI_AZURE_KEY_VAULT_NAME=fews-fss-scaling-kv
Master Controller
Only prefix FEWS_ is supported. Only one mc van be used per Virtual Machine. Example ENV variables:
FEWS_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_AZURE_KEY_VAULT_NAME=fews-fss-scaling-kv
Forecasting Shell Server
Only prefix FEWS_ is supported. Example ENV variables:
FEWS_FSS_INDEX_1_CLIENT_CONFIG_FILE_NAME=fss_clientConfig.xml FEWS_FSS_INDEX_1_GROUP=linux FEWS_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_AZURE_KEY_VAULT_NAME="fews-fss-scaling-kv"
Web Services
Example ENV variables:
FEWS_WS_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_WS_AZURE_KEY_VAULT_NAME=fews-fss-scaling-kv
Database Proxy
Example ENV variables:
FEWS_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_AZURE_KEY_VAULT_NAME=fews-fss-scaling-kv
Project Manager
Example ENV variables:
FEWS_PM_DATABASE_URL_SECRET_NAME=databaseUrlWithUsernameAndPassword FEWS_AZURE_KEY_VAULT_NAME=fews-key-vault
Global Properties
Azure Secrets can also be used in the global properties of a Forecasting Shell Server or the Web Services.
For example to configure a password that is required during an import, the property can be condfigured as follows:
importPassword=%SECRET(azureSecretName)%