How to create Azure Key Vault


Summary

This article provides an action plan on how to configure Azure Key Vault to create and maintain keys when using Sitecore Managed Cloud Standard:

  1. Register new Microsoft.KeyVault Resource provider
  2. Configure Azure Key Vault access
  3. Assign Azure Key Vault access policies

Register new Microsoft.KeyVault Resource provider

If the Microsoft.KeyVault resource provider is not registered in the customer's subscription, the customer might receive an insufficient access error message while creating a new Key Vault resource. The customer can request to register a new resource provider in the existing Azure subscription by creating a service request for Sitecore Managed Cloud:

  1. On the Sitecore Support Portal, on the home page, click Create Service Requests.
  2. In the Catalogs drop-down list, click Sitecore Managed Cloud AppServices.
  3. In the Categories menu, click Operational.
  4. Click the Register new Resource provider item.
  5. In the Register new Resource provider form, fill out the fields with the relevant data. In the Cloud Resource Provider field, search for and click Microsoft.KeyVault:

    image1.png

  6. Click Submit at the bottom of the form.

After the Microsoft.KeyVault resource provider has been registered, a customer can create a new Key Vault resource.

Configure Azure Key Vault access

To configure access to keys, secrets, and certificates in Azure Key Vault, you need to grant data plane access by using a Vault access policy. A Key Vault access policy establishes rules that determine whether a security principal, namely a user, application, or user group, can perform certain operations on keys, secrets, and certificates.

To configure the Vault access policy permission model for the Key Vault:

  1. On the Azure Portal, navigate to the Key Vault.
  2. In the Settings menu, click Access configuration.
  3. Under the Permission model, select the Vault access policy check box:

    image2.png

Assign Azure Key Vault access policies

To grant access to the Key Vault, you have to file a service request to Sitecore Support so that they create an access policy on your behalf. Sitecore Support will grant basic permissions enabling you to manage the access policy autonomously after its creation. This streamlined process ensures a smooth integration of Azure Key Vault and the Sitecore Managed Cloud environment.

To assign an access policy for the Key Vault:

  1. On the Sitecore Support Portal, on the home page, click Create Service Requests.
  2. In the Catalogs drop-down list, click Sitecore Managed Cloud AppServices.
  3. In the Categories menu, click Access Management.
  4. Click the Manage Azure Access - Azure Key Vault Access Policy item.
  5. In the Manage Azure Access - Azure Key Vault Access Policy form, fill out the fields with the relevant data:

    Key Vault access policy.png

  6. Click Submit at the bottom of the form.

For detailed information about Azure Key Vault, check the official Microsoft documentation.

Limitations

Customers can create Key Vault resources. By default, an access policy is created for the customer that creates the Key Vault resource. If the customer has not enabled access to the Key Vault for their user account in the Access policies configuration when creating the Key Vault resource, they will not be able to assign an access policy after the creation of the Key Vault.

Customers cannot create new access policies unless they file a service request to Sitecore Support according to Assign Azure Key Vault access policies.

Customers have limited access to the API management of Key Vault resources.