Dynamic Secrets for Azure Resources with Vault

Question

Pulumi · Accepted Answer

Dynamic Secrets are a way to provide on-demand, short-lived access tokens or credentials to access various resources. The concept is valuable in cloud services where the principle of least privilege and short-lived credentials can help secure resources. Vault by HashiCorp is a tool that can be used to manage these secrets and tightly control access to tokens, passwords, certificates, API keys, and other secrets in modern computing.

To integrate Azure resources with Vault to use dynamic secrets, you implement several components:

Vault Server: You deploy Vault server(s), which manage secrets.
Azure Secrets Engine: Configure Vault with the Azure secrets engine, which will enable managing dynamic access to your Azure resources.
Policies: Establish Vault policies to govern who can obtain the secrets and under what conditions.

In the context of Pulumi, the setup would generally involve configuring Azure resources in such a way that Vault can interact with them. This could mean creating service principals, setting appropriate permissions, and managing the lifecycle of these entities.

Here's a high-level Pulumi program outline that would prepare Azure resources for dynamic secrets usage with Vault. The actual Vault configuration part is out of the scope of Pulumi and would be done directly through the Vault CLI or API.

Please note that this is a complex setup and requires careful consideration of security implications. Always ensure you understand the permissions and access levels you're granting.

import pulumi
import pulumi_azure_native as azure_native

# Create an Azure Resource Group to contain all the resources
resource_group = azure_native.resources.ResourceGroup("resource_group")

# Create an Azure AD Application for Vault
vault_app = azure_native.authorization.Application("vaultApp",
    display_name="Vault")

# Create a Service Principal for the Azure AD Application
vault_sp = azure_native.authorization.ServicePrincipal("vaultSp",
    application_id=vault_app.application_id)

# Create a Service Principal Password
vault_sp_password = azure_native.authorization.ServicePrincipalPassword("vaultSpPassword",
    service_principal_id=vault_sp.id,
    end_date="2299-12-31T00:00:00Z") # Long-lived for the example, but consider a more appropriate end date

# Assign the Service Principal appropriate permissions on the Resource Group
# The specific role definition depends on the level of access required by Vault
role_assignment = azure_native.authorization.RoleAssignment("roleAssignment",
    scope=resource_group.id,
    principal_id=vault_sp.id,
    role_definition_id="/providers/Microsoft.Authorization/roleDefinitions/<role-definition-id-goes-here>"
    # Replace "<role-definition-id-goes-here>" with the actual ID of the role
    # definition that matches the permissions you wish to grant to Vault.
)

# Export the Service Principal ID and Password (Secret) for Vault Configuration
pulumi.export("vaultAppId", vault_app.application_id)
pulumi.export("vaultSpId", vault_sp.id)
pulumi.export("vaultSpPassword", vault_sp_password.value.apply(lambda pwd: pulumi.Output.secret(pwd)))

Here's what the code does, step by step:

It defines a new resource group in Azure to hold all resources.
It creates an Azure Active Directory application representing the Vault server.
It creates a service principal for the Vault AD application, which Vault will use to authenticate with Azure.
It creates a password for the service principal. The password is essential for Vault to log in as the service principal.
It assigns the service principal a particular role on the resource group. The role definition ID should correspond to the permissions Vault needs to manage resources effectively.
It finally exports the application ID, service principal ID, and service principal password. These will be necessary when configuring Vault with Azure.

Remember:

For the role definition ID, you will need to insert the proper Azure role definition ID that provides the appropriate level of access for Vault.
The Service Principal Password is sensitive information and should be treated as a secret. In Pulumi, we mark it as secret so it will be encrypted in the state file and not be displayed in plaintext in outputs.
You will still need to configure Vault with these Azure credentials and set up the Azure secrets engine within Vault outside of the Pulumi context.

Please ensure that you replace the placeholder values and that the scope of permissions assigned to the service principal is in accordance with your organization's security policies.