Azure Key Vault
DevEx Provided Azure Key Vault#
Every unit onboarded into Tower by DevEx will be give an Azure Key Vault in the DEVEX-Common Azure Subscription called yourorg-awx.
The connection to that key vault is set up in Tower under the name yourorg-kv.
Note: you will find the devex-provided secrets in the Secrets section and not the Keys section in Azure. Keys are a very specific type of element in Azure and our automation instead leverages Secrets for ease of use.
Any time you are setting up a credential and want to pull a value from Azure Key Vault, click the key icon next to the field, select your key vault, and add the secret name.
Firewall#
Services are locked down with a firewall. Admins for a unit's Key Vault can add Ips to grant permissions. This can be done manually through the portal or with the cli (below). DevEx has configured UMN Full Tunnel VPN and on campus access by default.
Please feel free to add or delete any ips or subnets. The only one that's required is Ansible Tower's subnet: Moved to Description in ansible-tower slack channel.
To add your ip in the portal:
- In portal.azure.com, navigate to your key vault
- In the left bar under Settings select 'Networking'
- Under 'Firewall' click '+ Add your client IP addresses'
- Paste the IP address you'd like to add
- Click 'Apply'
Azure CLI tool#
The Azure command-line interface (Azure CLI) is a set of commands used to create and manage Azure resources. The Azure CLI is available across Azure services and is designed to get you working quickly with Azure, with an emphasis on automation.
Useful Commands for Key Vault#
full az cli docs for key vault secrets
Azure CLI Login
az login
Add IP Address to Key Vault's firewall
az keyvault network-rule add --name "<KEYVAULT NAME>" --ip-address "<IP ADDRESS>")
# ------ OR ------
az keyvault network-rule add --name "<KEYVAULT NAME>" --ip-address $(curl ifconfig.me/ip)
Add a Secret to Key Vault from a file:
az keyvault secret set -n <SECRET NAME> --vault-name "<KEYVAULT NAME>" --file <SECRETFILE NAME>