Secure Access to AI Service APIs via Azure Key Vault

Question

Pulumi · Accepted Answer

To secure access to AI service APIs via Azure Key Vault, you'll need to set up a few Azure resources:

1. An **Azure Key Vault** to store secrets such as API keys securely.
2. A **Secret within the Azure Key Vault** that represents the API key for the AI service.

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates.

Below is a Pulumi program written in Python that sets up an Azure Key Vault and adds a secret to it representing the API key for an AI service. For simplicity, we're creating a secret with a placeholder value – you'd replace this with your actual API key.

```python
import pulumi
import pulumi_azure_native.keyvault as keyvault
import pulumi_azure_native.resources as resources

# Create an Azure resource group, a logical container into which Azure resources are deployed and managed
resource_group = resources.ResourceGroup('resource_group')

# Create an Azure Key Vault for securely storing API keys
key_vault = keyvault.Vault('key_vault',
    resource_group_name=resource_group.name,
    location=resource_group.location,
    properties=keyvault.VaultPropertiesArgs(
        tenant_id=pulumi.Config('azure-native').require('tenantId'), # Your Azure tenant ID
        sku=keyvault.SkuArgs(
            name='standard',  # The SKU for the vault. The standard SKU is intended for use cases that don't require premium capabilities.
            family='A'
        ),
        access_policies=[], # Define access policies here
        soft_delete_retention_in_days=7, # Soft delete allows recovery of the deleted vault and its content within this period
    )
)

# Create an Azure Key Vault Secret
api_secret = keyvault.Secret('api_secret',
    resource_group_name=resource_group.name,
    vault_name=key_vault.name,
    properties=keyvault.SecretPropertiesArgs(
        # The value of the secret. You should secure this in your configuration, not in code directly.
        value='your_ai_service_api_key',
    )
)

# Export the Azure Key Vault's URI
pulumi.export('key_vault_uri', key_vault.properties.apply(lambda prop: prop.vault_uri))
# Export the secret name
pulumi.export('secret_name', api_secret.name)
```

This program performs the following actions:

- It creates a resource group using `resources.ResourceGroup`. This group is used to organize all the resources in Azure.
- It provisions an Azure Key Vault using `keyvault.Vault`. This vault is where the API keys will be stored.
- It stores a secret using `keyvault.Secret`. The secret holds the placeholder for your AI service API key.

In a real-world scenario, you need to replace `'your_ai_service_api_key'` with the actual API key for the AI service you're using. Remember to never hard-code secrets in your code; this is just for illustration purposes. It's best practice to use configuration files or environment variables to handle secrets.

Additionally, you'll need to specify the Azure tenant ID where you want to create these resources. The `pulumi.Config('azure-native').require('tenantId')` line is used to pull your tenant ID from the Pulumi configuration system.

Once you've run this Pulumi program, you'll have a secure location (the Key Vault) from which you can programmatically access secrets for your AI service APIs. You can reference the secret in your applications by using the URI and name outputted by the program.

Remember, you will need the Azure provider configured with appropriate credentials to run this program successfully. Typically, this would be done using the Azure CLI and running `az login` before executing Pulumi commands.