Key vault manager is a management tool to keep track of Azure Key Vault assets (like secrets). It validates the assets for necessary properties, keeps track of where they are used, near expiry and expiration and alerts you in your preferred channel (Teams, Slack, email and SMS). The tool is built as an Azure Function App. All required resources are deployed with the ARM template. You can choose if you want to deploy the Function App to an existing App Service Plan or create a new one. You can also choose to manage an existing Key Vault or deploy a new Key Vault.
Key vault manager includes event and timer triggered functions for automation as well as a CRUD API to manage secrets. The API currently supports get all secrets, get secret, post secret, patch secret, put secret version and delete secret. The Function App has access restrictions so you will only reach it from the allowed IP you add during deployment. It is protected with Azure AD authentication and authorization with reader and writer roles.
- Sign in to your Azure tenant. Global admin or application amdin permission is required.
- Copy azureapp.ps1 locally. Add the name of the resource group you are going to deploy to and the object id of the user or service principal of the account thats going to run the deployment in the variables $resourceGroupName and $deploymentObjectId.
- Open cloud shell in Azure portal and run the azureapp.ps1 script.
- Take note of the application id and secret.
- Sign in to your Azure tenant. Contributor, or owner if you enable delete locks, permission on the resource group is required.
- Click the Deploy to Azure button .
- Fill in the parameters.
- Click deploy.
To configure access to the Key vault manager API you have to assign the reader or writer role. From the Azure portal navigate to Azure Active Directory, Enterprise applications, "keyvaultmanager-{id}". Click Users and groups blade, Add user/group and select users/groups and role KeyVaultManagerReader or KeyVaultManagerWriter as required.
To configure Teams alerts create an incoming webhook and paste the url in the app setting "teamsWebhookUrl".
To configure Slack alerts create an incoming webhook and paste the url in the app setting "slackWebhookUrl".
To configure email alerts create a Sendgrid account and configure smtp and api key. Then fill in the app settings "sendgridApiKey", "sendgridFromAddress" and "sendgridToAddress".
To configure sms alerts create a Twilio account and configure a message service. Then fill in the app settings "twilioAccountSid", "twilioAuthToken", "twilioMessagingSid" and "twilioToNumber".
Swagger docs available at https://func-kvmgr-{id}.azurewebsites.net/api/swagger.json
Key vault manager currently supports one key vault.
Key vault manager currently supports secrets (not keys and certificates).