Securing sensitive information in Azure Cloud Service Configuration

Question

We are using Cloud Service configuration to store app settings. But we would like to secure few appsettings like User Credentials,database connection string etc. What is the recommended way to do that?

We are reading this configuration from both web and worker role. Hence using aspnet_regiis utility is not an option as this is not available in worker role since iis is not installed in worker role.

We also considered using Key vault, but we end up in the same situation of securing the key vault key.

Unfortunately, Azure cloud service does not support managed service indentities

Answer 1

We also considered using Key vault, but we end up in the same situation of securing the key vault key.

Problem Statement

Even though you can move out all sensitive information to Azure Key Vault, but to access the Azure Key Vault you need clientID and client Secret key (to establish the identity of your cloud service and Key Vault to know that who is accessing it).

This means your application's client secret key will be sitting in cloud service configuration, which is almost equivalent to all sensitive information sitting in cloud service configuration in the first place :).

Solution Approach

Managed Service Identity would have been the way to go to access Azure Key Vault and avoid keeping client Secret key in cloud service configuration.

In absence of managed service identities for classic cloud services, you can use Certificate Credentials for application authentication to help establish application identity and get access to key vault for reading keys, secrets etc.

Details and Sample Code

1. You register an Azure AD application to represent your cloud service.
2. Give appropriate access (ability to get keys/secrets etc.) to this Azure AD application in Key Vault's access policies.
3. Now instead of generating a regular client secret, you follow the steps in Certificate credentials for application authentication, to associate the certificate credential with the client application in Azure AD.
4. Ensure that this certificate gets deployed with all your cloud service instances by including it in the service definition file (CSDEF)
5. Use your application's client ID and this certificate to acquire token and start reading sensitive information from Azure Key Vault.

Sample Code is available here: Authenticating to Azure AD in daemon apps with certificates

Just the important code pieces

// Initialize the Certificate Credential to be used by ADAL.
X509Certificate2 cert = ReadCertificateFromStore(certName);

// Then create the certificate credential client assertion.
certCred = new ClientAssertionCertificate(clientId, cert);

// Acquire Auth token for talking to Azure KeyVault..
result = await authContext.AcquireTokenAsync(todoListResourceId, certCred);