Protecting AI API Keys with Azure Key Vault

Question

Pulumi · Accepted Answer

To securely store and manage API keys for AI services in Azure, you can utilize Azure Key Vault. Azure Key Vault is a cloud service that provides a secure storage for secrets, such as API keys, passwords, certificates, or cryptographic keys. By using Azure Key Vault, you can control access to the secrets, monitor their usage, and ensure that sensitive information is not included in your source code.

Here's how you can protect AI API keys with Azure Key Vault using Pulumi:

1. **Set up Azure Key Vault**: You need to create an instance of Azure Key Vault where you will store your AI API keys as secrets.
2. **Add Secrets to Key Vault**: After setting up the Key Vault, you'll add your API keys to the Vault as secrets.
3. **Access Management**: You will set up access policies to determine who can access the secrets in the Key Vault.
4. **Use the Secrets in your application**: In your application, instead of hard-coding the API keys, you will retrieve them from the Key Vault using Azure’s SDK or REST API.

Below is a detailed Pulumi program in Python that accomplishes the steps outlined above:

```python
import pulumi
import pulumi_azure_native as azure_native

# Step 1: Create the Azure Key Vault
# The Vault is created in a resource group with a specific SKU and tenant ID.
key_vault = azure_native.keyvault.Vault("myKeyVault",
    resource_group_name="myResourceGroup",
    properties=azure_native.keyvault.VaultPropertiesArgs(
        sku=azure_native.keyvault.SkuArgs(
            family="A",
            name=azure_native.keyvault.SkuName.standard,
        ),
        tenant_id="YOUR_TENANT_ID",
        access_policies=[],  # We will add access policies later
    ),
    location="eastus"
)

# Step 2: Add AI API keys to the Key Vault as secrets
# Replace 'my-secret-value' with your actual API key.
api_key_secret = azure_native.keyvault.Secret("myApiKeySecret",
    resource_group_name="myResourceGroup",
    vault_name=key_vault.name,
    properties=azure_native.keyvault.SecretPropertiesArgs(
        value="my-secret-value"
    )
)

# Step 3: Set up an access policy for the Key Vault
# Here we're assigning access to a service principal (identified by object_id).
# You will need to replace 'OBJECT_ID' with the actual object ID of your service principal or user.
access_policy = azure_native.keyvault.AccessPolicyEntryArgs(
    tenant_id="YOUR_TENANT_ID",
    object_id="OBJECT_ID",
    permissions=azure_native.keyvault.PermissionsArgs(
        secrets=[
            "get",
        ],
    )
)

# Adding access policy to the vault
key_vault_access_policy = azure_native.keyvault.VaultAccessPolicy("myKeyVaultAccessPolicy",
    resource_group_name="myResourceGroup",
    vault_name=key_vault.name,
    properties=azure_native.keyvault.VaultAccessPolicyPropertiesArgs(
        access_policies=[access_policy]
    )
)

# Step 4: Retrieve the secret in your application
# Normally this part is handled in your application's code where you would retrieve the secret using Azure's SDK.

# Export the ID of the Key Vault and Secret (Optional)
# You might want to export these values to reference them in other parts of your infrastructure or app.
pulumi.export("key_vault_id", key_vault.id)
pulumi.export("api_key_secret_id", api_key_secret.id)
```

In the above program:
- Replace `YOUR_TENANT_ID` with your Azure tenant ID.
- Replace `my-secret-value` with the actual secret value you want to store in the Key Vault.
- Replace `OBJECT_ID` with the object ID of the user or service principal you want to grant access to for retrieving the secret.
- The `location` in the `Vault` resource should be set to a region that makes sense for your application.
- You might want to export values, such as the ID of the Key Vault or the Secret, to reference them elsewhere in your infrastructure or application.

This program effectively creates a secure location for your AI API keys, ensuring they are not exposed in your code base and that only authorized entities can access them.