Integrating Azure Key Vault Secret with webMethods Integration Server using REST API's

Introduction

Azure Key Vault is a service that you can use to securely store your passwords, keys, secrets, and certificates. This post illustrates how you can leverage Azure Key Vault Secret with webMethods Integration Server using REST APIs.

By using Azure Key Vault Secret with Integration Server you can rule out the possibility of having the need to store config parameters, like URLs, usernames, or passwords that you may need internally on your local server. Another prominent advantage is the fact that since this will be on Azure Cloud, any appropriate authority can manage the Secrets stored in Azure from anywhere without having the need to switch the network.

Some of the use cases this can cater to are:

  • Use secret to store connection/config parameters like DB URL, SharePoint URL’s etc
  • Use secret to store API authentication details like password or key

You will need access to the below Azure services:

  1. Virtual machine (you can alternatively use your local IS, the procedure remains the same)
  2. Azure Active Directory
  3. Azure Key Vault

The steps involved in the POC are explained below. The approach that is elaborated is the one using REST API’s of Microsoft. Details on the REST API used in this POC can be found in the below link,

Get Secret - Get Secret (Azure Key Vault) | Microsoft Docs

STEP 1:Install and configure IS

Install IS either on your local machine or Azure VM.

If using Azure VM, ensure to open port at VM Firewall level and also at the Azure Networking level.

Adding port at VM firewall level
image

Adding port at Azure Networking level
image

STEP 2:Create Application in Azure Active Directory. This will be used to authenticate access to key vault

Navigate to Azure Active Directory to create an application.
image

Provide appropriate permissions to the application you just created,
image

Also, make a note of the client’s secret. Client Secret can be copied only once. Be sure to copy it once you grant the API permissions.
image

Navigate to the overview tab of the application to note down the Application ID, Tenant ID and Endpoint.
image

Once you have completed creating an application and granting the necessary permissions, you will have the below:

  • Client Secret
  • Application ID (becomes Client ID in your HTTP request)

STEP 3:

Create an Azure Key Vault Secret and grant appropriate permissions to the application that you created in Step 2.

Create Secret:
image

Add access policy and grant permission:
image

STEP 4:

Create a flow service in IS to invoke the Azure Rest API’s for fetching secret.
In the first HTTP invoke, fetch token from Azure by using the secret that the application. This token will then be used to authenticate the next HTTP invoke for fetching secret.

Below are the Azure APIs to be used,

  • To get token
    https://login.microsoftonline.com/{client -secret}/oauth2/v2.0/token
  • To fetch secret
    GET {vaultBaseUrl}/secrets/{secret-name}/{secret-version}?api-version=7.1

The snapshot below elaborates on the steps required in a flow service to fetch a secret value from Azure Key Vault

image

1 Like