Protecting AI Service Access Tokens using Azure Key Vault
PythonAzure Key Vault is a cloud service provided by Microsoft Azure for securely storing and accessing secrets, keys, and certificates. For AI services, you might want to protect access tokens or other sensitive data used by your application. By storing these tokens in Azure Key Vault, your application can securely retrieve them at runtime without needing to store them in your source code or configuration files.
Here's a Python program using Pulumi to create a Key Vault and store an AI service access token as a secret. The purpose of this Pulumi program is to illustrate automation of infrastructure for secure secret management:
- A Resource Group is created as a logical container for the resources.
- A Key Vault is provisioned to securely store the access token.
- An access policy is set to grant permissions to an Azure Active Directory object, typically it should be the application (or principal) that will retrieve the secret.
- A secret holding an access token value is created within the Key Vault.
For the purpose of this example, the token value is hard-coded, but in a real-world scenario, you’d likely fetch this from a secure source or configuration.
Before you run the following program, ensure that you’ve set up the Pulumi Azure provider and logged in with
pulumi login. Here's the Pulumi program:import pulumi import pulumi_azure_native as azure_native # Create an Azure Resource Group resource_group = azure_native.resources.ResourceGroup('my-resource-group') # Create an Azure Key Vault instance key_vault = azure_native.keyvault.Vault('my-key-vault', resource_group_name=resource_group.name, properties=azure_native.keyvault.VaultPropertiesArgs( sku=azure_native.keyvault.SkuArgs( family='A', name='standard', ), tenant_id='YOUR_AZURE_TENANT_ID', # Replace with your Azure tenant ID access_policies=[azure_native.keyvault.AccessPolicyEntryArgs( tenant_id='YOUR_AZURE_TENANT_ID', # Replace with your Azure tenant ID object_id='YOUR_OBJECT_ID', # Replace with the object ID of the principal that accesses the secret permissions=azure_native.keyvault.PermissionsArgs( secrets=['get', 'list', 'set', 'delete', 'backup', 'restore', 'recover'], ), )], soft_delete_retention_in_days=90, enable_rbac_authorization=False, ), location=resource_group.location, ) # Store an AI Service access token in the Key Vault as a Secret ai_service_secret = azure_native.keyvault.Secret('my-ai-service-secret', resource_group_name=resource_group.name, vault_name=key_vault.name, properties=azure_native.keyvault.SecretPropertiesArgs( value='MY_AI_SERVICE_ACCESS_TOKEN', # Replace with an actual access token for your AI service ), ) # Export the Key Vault ID and Secret ID pulumi.export('key_vault_id', key_vault.id) pulumi.export('ai_service_secret_id', ai_service_secret.id)A few important points in this program:
- Replace
YOUR_AZURE_TENANT_ID,YOUR_OBJECT_ID, andMY_AI_SERVICE_ACCESS_TOKENwith actual values for your Azure tenant, the principal (such as an Azure service principal or a user) who needs access to the Key Vault, and the AI service access token, respectively. - Permissions are set according to least privilege principle. Only grant permissions that are absolutely required.
soft_delete_retention_in_daysandenable_rbac_authorizationoptions are set. Adjust these settings as necessary for your environment and compliance requirements.
After you have replaced the placeholders with actual values, you can run this Pulumi program using the Pulumi CLI commands:
pulumi up # To preview and deploy changes pulumi stack output key_vault_id # To retrieve the Key Vault ID after deployment pulumi stack output ai_service_secret_id # To retrieve the AI service secret ID after deploymentRemember to follow security best practices when managing secrets and access policies, and rotate your secrets periodically.