Azure Key Vault is a service that you can use to securely store your passwords, keys, secrets, and certificates. This post illustrates how you can leverage Azure Key Vault Secret with webMethods Integration Server using REST APIs.
By using Azure Key Vault Secret with Integration Server you can rule out the possibility of having the need to store config parameters, like URLs, usernames, or passwords that you may need internally on your local server. Another prominent advantage is the fact that since this will be on Azure Cloud, any appropriate authority can manage the Secrets stored in Azure from anywhere without having the need to switch the network.
Some of the use cases this can cater to are:
- Use secret to store connection/config parameters like DB URL, SharePoint URL’s etc
- Use secret to store API authentication details like password or key
You will need access to the below Azure services:
- Virtual machine (you can alternatively use your local IS, the procedure remains the same)
- Azure Active Directory
- Azure Key Vault
The steps involved in the POC are explained below. The approach that is elaborated is the one using REST API’s of Microsoft. Details on the REST API used in this POC can be found in the below link,
STEP 1:Install and configure IS
Install IS either on your local machine or Azure VM.
If using Azure VM, ensure to open port at VM Firewall level and also at the Azure Networking level.
Adding port at VM firewall level
Adding port at Azure Networking level
STEP 2:Create Application in Azure Active Directory. This will be used to authenticate access to key vault
Navigate to Azure Active Directory to create an application.
Provide appropriate permissions to the application you just created,
Also, make a note of the client’s secret. Client Secret can be copied only once. Be sure to copy it once you grant the API permissions.
Navigate to the overview tab of the application to note down the Application ID, Tenant ID and Endpoint.
Once you have completed creating an application and granting the necessary permissions, you will have the below:
- Client Secret
- Application ID (becomes Client ID in your HTTP request)
Create an Azure Key Vault Secret and grant appropriate permissions to the application that you created in Step 2.
Add access policy and grant permission:
Create a flow service in IS to invoke the Azure Rest API’s for fetching secret.
In the first HTTP invoke, fetch token from Azure by using the secret that the application. This token will then be used to authenticate the next HTTP invoke for fetching secret.
Below are the Azure APIs to be used,
- To get token
- To fetch secret
The snapshot below elaborates on the steps required in a flow service to fetch a secret value from Azure Key Vault