API Key Vault for Secure Model Endpoint Access

Question

Pulumi · Accepted Answer

When building a secure system that provides access to an AI model endpoint, it is crucial to manage API keys and other secrets securely. This is where services like Azure Key Vault come into play. Azure Key Vault is a cloud service that provides a secure store for secrets, keys, and certificates. You can use Azure Key Vault to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.

Below is a Pulumi program in Python that demonstrates how to create an Azure Key Vault, add a secret to it (which can be an API key), and create a private endpoint connection to limit access to the Key Vault within your Azure virtual network. This setup ensures that only applications within your own network can access the keys stored in your Key Vault, thereby increasing security.

Please note that you will need to have the Azure provider configured with appropriate credentials to run this Pulumi program.

```python
import pulumi
import pulumi_azure_native as azure_native

# Replace with your resource group name and location if needed
resource_group = azure_native.resources.ResourceGroup("resourceGroup",
                                                      resource_group_name="my-resource-group",
                                                      location="EastUS")

# Create an Azure Key Vault
key_vault = azure_native.keyvault.Vault("myKeyVault",
                                        resource_group_name=resource_group.name,
                                        properties=azure_native.keyvault.VaultPropertiesArgs(
                                            tenant_id="your-tenant-id", # Replace with your Azure Tenant ID
                                            sku=azure_native.keyvault.SkuArgs(
                                                name="standard"
                                            ),
                                            access_policies=[]  # Define access policies as needed
                                        ),
                                        location=resource_group.location)

# Add a secret to the Key Vault. This secret could be an API key.
api_key_secret = azure_native.keyvault.Secret("mySecret",
                                              resource_group_name=resource_group.name,
                                              properties=azure_native.keyvault.SecretPropertiesArgs(
                                                  value="my-secure-api-key"  # The actual secret (API key) value
                                              ),
                                              vault_name=key_vault.name,
                                              secret_name="api-key")

# Create a private endpoint connection for the Key Vault to make it accessible only within your own network
# Ensure you have a virtual network and a subnet configured for the private endpoint
private_endpoint = azure_native.network.PrivateEndpoint("myPrivateEndpoint",
                                                        resource_group_name=resource_group.name,
                                                        location=resource_group.location,
                                                        private_link_service_connections=[
                                                            azure_native.network.PrivateLinkServiceConnectionArgs(
                                                                private_link_service_id=key_vault.id,
                                                                group_ids=["vault"],
                                                                private_link_service_connection_state=azure_native.network.PrivateLinkServiceConnectionStateArgs(
                                                                    status="Approved"
                                                                ),
                                                            )
                                                        ],
                                                        # Replace with your subnet ID
                                                        subnet=azure_native.network.SubnetArgs(id="your-subnet-id"))

# Export the Key Vault URI and the Secret's identifier
pulumi.export("keyVaultUri", key_vault.properties.vault_uri)
pulumi.export("secretId", api_key_secret.id)
```

In this program, we first create a resource group which acts as a container that holds related resources for an Azure solution. Then we create an Azure Key Vault resource with appropriate properties like the tenant ID and the SKU. We limit access by setting the `access_policies` to an empty list initially, which you can later configure to grant access to specific services or principals.

We then create a secret within the Key Vault by instantiating an `azure_native.keyvault.Secret` with a value that represents your API key. Replace `"my-secure-api-key"` with the actual key you want to store securely.

Finally, we create a `PrivateEndpoint` which establishes a private link to the Azure Key Vault. Ensure you have an existing virtual network and a dedicated subnet for the private endpoint, and replace `"your-subnet-id"` with the actual subnet ID.

The two exported values at the end of the program would typically be the URI of the Key Vault and the identifier of the secret. These are useful for referencing in other applications or resources that may need to access the key securely.

Before running this Pulumi program, make sure you have set your Azure credentials correctly so that Pulumi can authenticate and create the resources. You should also replace placeholder values such as `"your-tenant-id"`, `"your-subnet-id"`, and `"my-secure-api-key"` with actual values pertinent to your Azure account and the secret you wish to store.