Azure Key Vault

Azure Key Vault manages keys, secrets, and certificates in the Azure portal. Several functions in Matillion ETL require access to these resources.

---

Creating secrets in Azure Key Vault

1. Log in to your Azure portal account.
2. Browse to the Key Vaults service.
3. Click Create to open the Create a key vault page at the Basics tab.
4. Complete the following fields:
   • Resource Group: Select an existing resource group. To create a new resource group, read Create resource groups.
   • Key vault name: Give your new key vault a name.
   • Region: Select an Azure region.
   • Pricing tier: Select Standard or Premium pricing.
5. Click the Access Policy tab and review your permission model. Vault Access Policy is the default selection. If you want to select the Azure role-based access control instead, refer to Assign an access policy.
6. Click Review + create, and then click Create.
7. After a brief period, your key vault will be created. Under Next steps, click Go to resource.

To create and store a secret:

1. Click Secrets in the sidebar, then click Generate/Import at the top.

2. Enter the following secret details.

   • Upload options: Select Manual.
   • Name: Enter agent-rsa.
   • Secret value: Enter your secret key. See the note below on multi-line secrets.

   Note

   • Azure Key Vault strips newlines from secrets being added via the graphical user interface (GUI), which will prevent your secrets from working. Read Store a multi-line secret in Azure Key Vault to work around this issue.

   • The following CLI command will maintain newlines:

     az keyvault secret set --vault-name <vault-name> --name <secet-name> --file <key-file-name>
     

3. Leave the other fields blank, and click Create.

---

Assign an access policy

Configure your access policy by selecting one of the following permission models:

• Vault Access Policy: The default permission model that determines whether a security principle, such as a user, application, or user group, can perform different operations on keys, secrets, and certificates.
• Azure role-based access control: An authorization system that provides fine-grained access management of Azure resources to grant access at a specific scope level by assigning appropriate Azure roles.

Follow these steps to set the permission model:

1. Click the Access policy tab in the Create a key vault process.
2. Choose your permission model.
3. Select your Resource access.
4. If you choose the default Vault access policy, continue to the next step. If you choose Azure role-based access control, continue to step 10.
5. Under the Access policies heading, click Create.
6. Use the Configure from a template drop-down menu to select an existing template.

7. Add the following Secret permissions:

   • Get
   • List

   Note

   These permissions must be set for a secret, not a key or certificate.

8. Click the Principal tab, and choose your principal. Only one principal can be assigned per access policy.

9. Click the Application (optional) tab and select an application.
10. Click Review + Create, then click Create.

---

Access control IAM

Use the following steps to assign roles and grant access to your Azure Key Vault resource.

1. Access your existing Key Vault resource in your Microsoft Azure portal account.
2. Click on the intended key vault.
3. Click Access control (IAM) in the sidebar.
4. Click Add from the top menu, then click Add role assignment.
5. Select the Reader permissions.
6. Click Next.
7. In the Members tab, select the members you want to assign access to, add an optional description, and add your application.
8. Click Next, then click Review + assign.