Azure configuration prerequisites for DevOpsACCELERATE¶
The DevOpsACCELERATE Azure Key Vault and Web App Certificate Deployment functionality requires that your Azure account is set up with an Application Registration for the DevOpsACCELERATE application. This Application Registration allows Venafi Cloud to access your Azure account on your behalf.
The Application Registration process will create a Client ID for the DevOpsACCELERATE application. Once the Application Registration process is complete, you will need to do the following:
Create a password (client secret) for the App Registration.
Assign permissions to the App Registration to access the Key Vault service and the Azure Resource Manager service.
Important Because Microsoft continues to update the Azure user interface, please refer to the most current Microsoft Azure documentation for specific details. For the latest updates, visit Cloud configuration.
To create an App Registration
Log in to your Azure portal using an account with permissions to create Azure AD App registrations.
To do this, you need:
The roles of Azure Subscription Contributor and User Access Administrator for the Azure subscription.
Your Azure AD user settings must be configured to enable a user to create App Registrations.
Select Azure Active Directory from the portal.
- Select App Registrations from the Azure AD blade.
- Click New Application registration.
Create a name for the registration.
We recommend calling this registration Venafi Cloud.
For Sign-on URL, use the URL of the Venafi Cloud service https://ui.venafi.cloud.
Sign-on URLis not used by the service. However, this value must be supplied in order for you to create the App Registration.
- When the application registration process is complete, click Settings.
- Click Required Permissions.
- Click Add and then select the Azure Key Vault API.
- Grant the app full access to the Azure Key Vault service.
- Click Done.
- Click Keys.
In Passwords, type in the name of your secret and then select a duration.
We recommend calling your secret
Important Save the client secret in your enterprise secure password repository. It will be required later."
To configure your Azure account to allow the Microsoft Azure App Service to access your Azure Key Vault
This configuration allows DevOpsACCELERATE to create certificates in your Azure Key Vault and associate them with anAzure Web App resource group.
- From the Azure portal, select the Azure Key Vault that you want to use with DevOpsACCELERATE.
- In the Azure Key Vault blade, select Access Policies and then click Add access policy.
- Click Select Principal and then select Microsoft Azure App Service.
- Set the Secret permission to Get.
To allow the app registration to manage your Web App Service resources
Assign the Contributor role to the Azure App registration that you created.
Add the App Registration as a Contributor to an individual Web App resource group.
Create a custom role that allows you to limit access to the Azure App registration. Access should be limited to only managing bindings and creating certificate resources in the resource group for Azure Web Apps.
To allow the app registration to manage certificates in your key vault
Add a new access policy to your key vaults that give the app registration rights to manage certificates.
Log in to your Azure portal.
Click All Resources.
Select the resource, then click Access policies.
- Click Add new.
In Configure from template, choose Secret and Certificate Management.
In Select principal, choose the app registration you created earlier.
If DevOpsACCELERATE is returning permission errors or you are finding that certificates are created in Key Vault but SSL bindings are not being created, try double checking the following:
Have you specified the correct subscription ID? The Azure portal will show resources from multiple subscriptions by default, which can result in a resource being created in a different subscription than the one used to configure Condor.
Have you created the app registration and given it access to the Key Vault API?
Have you assigned the app registration the ‘Contributor’ role, either globally at the subscription level or at the resource group level where target web apps and key vaults are created?
Have you created an access policy for the target key vault that allows the ‘Microsoft Azure Web App’ resource to ‘GET’ secrets?
Have you created an access policy for the target key vault that allows the app registration the ‘Secret and Certificate Management’ template for the target key vault?
Have you used the correct app registration client secret? If you forgot the old one, you can create the new one.
Did you know?
A future iteration of the DevOpsACCELERATE Azure functionality will support full OAuth functionality which will allow a user to use their Azure credentials to grant access to DevOpsACCELERATE on their behalf.