Skip to content

Connect with a Client ID and Client Secret#

To configure a connection to the Azure Key Vault with ID and Secret:

Generate the Client ID

  1. Login to the Azure portal.

  2. Search for Azure Key Vault.

  3. Click +Add to create a new key vault as shown below:

  4. After vault is created,  from the left navigation, select the Overview section and note the Vault URI AZURE_KEYVAULT_URL.

  5. To connect to the vault, we need to create an application registration through the app registration.

  6. Register the application (e.g. rangerkmsdemo) as shown in the following example:

  7. Click on the registered application and in the left menu, navigate to the Overview section.

  8. Note the Application (client) ID which is the AZURE_CLIENT_ID for connecting.

Generate Client Secret

  1. In the application screen, click on Certificates & Secrets in the left menu.

  2. Create a new client secret as shown in the example below:

  3. The Client Secret as shown - the secret value is the AZURE_CLIENT_SECRET.

  4. Next, go the key vault that was created in Step 3.

  5. Select Access Policies> +Add Access Policy.

Add Access Policy

  1. In the Add access policy screen, we need to set permissions to access the vault with the application that was created.

  2. Select the Key permissions (mandatory), Secret permissions (optional), and Certificate permissions (optional).

  3. For Select principal , select the application you created.

    Go to Privacera/docker/ranger/kms/install.properties and change the following values:

    AZURE_KEYVAULT_ENABLED=true
    AZURE_KEYVAULT_SSL_ENABLED=false
    AZURE_CLIENT_ID=(from step 3.3)
    AZURE_CLIENT_SECRET=(from step 3.6)
    #AZURE_AUTH_KEYVAULT_CERTIFICATE_PATH (mandatory field. Value can be None/dummy)
    AZURE_AUTH_KEYVAULT_CERTIFICATE_PATH=/home/machine/Desktop/azureAuthCertificate/keyvault-MyCert.pfx  # Initialize below prop if your certificate file has any password
    # AZURE_AUTH_KEYVAULT_CERTIFICATE_PASSWORD (mandatory field. Value can be None/dummy)
    AZURE_AUTH_KEYVAULT_CERTIFICATE_PASSWORD=certPass AZURE_MASTERKEY_NAME=RangerMasterKey
    # E.G. RSA, RSA_HSM, EC, EC_HSM, OCT
    AZURE_MASTER_KEY_TYPE=RSA
    # E.G. RSA_OAEP, RSA_OAEP_256, RSA1_5, RSA_OAEP
    ZONE_KEY_ENCRYPTION_ALGO=RSA_OAEP
    AZURE_KEYVAULT_URL=(from step 4 )
    

    Note

    The fields that say 'Value can be none/dummy' must have some value - cannot be blank.

  4. Restart Ranger KMS as follows:

    cd ~/privacera/docker
    ./privacera_services restart ranger-kms
    
  5. The master key is created when Ranger KMS is restarted. Verify that master key (name that is set in the properties) is created in the vault under Keys:

    When the Client ID and Client certificate are added and the Ranger KMS is restarted, an error occurs in the KMS logs: ~/privacera/docker/logs/ranger/kms/.

  6. Exit the container and restart Ranger KMS.


Last update: August 26, 2021