Support · Installation · License · Related Integrations
The Azure Key Vault PAM Provider uses the Azure Key Vault SDK to communicate with a Key Vault in Azure. The provider is able to communicate with Azure Public Cloud, Government, and China. Alternatively, if you have a self-hosted Key Vault compatible with Key Vault's APIs, the provider should be able to communicate with the Key Vault. Communication with Azure Key Vault is supported via assuming a role on your machine, by reading credentials in environment variables, or by using service principal credentials in your PAM extension configuration.
This PAM Provider supports retrieving all fields available in Azure Key Vault, such as usernames and passwords. It can be installed on either the Keyfactor Command Platform or on Universal Orchestrators.
There are two Azure Key Vault PAM Providers available: Azure-KeyVault and Azure-KeyVault-ServicePrincipal.
Here's a matrix explaining the differences between the two extensions:
| PAM Type | Recommended Use Case | manifest.json Configuration |
|---|---|---|
| Azure-KeyVault | Recommended if Orchestrator or machine can assume an Azure role with a managed identity or read credentials from environment variables to authenticate with Azure Key Vault. How to setup managed identity access to KeyVault | - |
| Azure-KeyVault-ServicePrincipal | Recommended if you want to directly specify service principal credentials in your PAM provider configuration to authenticate with Azure Key Vault. Useful if Orchestrator or machine cannot assume an Azure role with managed identity or have ability to modify environment variables. How to create an Azure service principal | Replace manifest.json with contents of ServicePrincipal-manifest.json |
Both PAM providers support authenticating with Azure Key Vault via environment variables. If the appropriate environment variables are configured, the PAM provider will read credentials from the environment variables to authenticate with Azure Key Vault. Environment variables will take precedence over the initialization parameters (i.e. Azure-KeyVault-ServicePrincipal). The supported environment variables for both extensions are:
| Environment Variable | Description |
|---|---|
| AZURE_CLIENT_ID | The application (client) ID of an Azure AD application. |
| AZURE_TENANT_ID | The tenant (directory) ID in Azure the Azure Key Vault belongs to. |
| AZURE_CLIENT_SECRET | The client secret for the Azure AD application. |
| AZURE_AUTHORITY_HOST | The authority host to authenticate against. For most use cases, this will simply be public. Please refer to the Authority Hosts section for more information on this parameter. |
The Azure Key Vault PAM provider requires an Authority Host to be defined. The Authority Host is the endpoint with which Azure will authenticate against. There are predefined Azure Authority Hosts the PAM Provider library will resolve to. The value and resolved Authority Host can be found below:
| Value | Authority Host |
|---|---|
| china | Azure China |
| government | Azure Government |
| public | Azure Public Cloud |
For most use cases, public will be an acceptable Authority Host value for your PAM provider. You may also provide a custom authority host not defined in the table above, but the authority host must begin with https://, for example https://custom.microsoftonline.com.
Authority Hosts may also be specified via the AZURE_AUTHORITY_HOST environment variable. If this environment variable is configured, it will override the value supplied to the PAM provider.
For more information on Azure authority hosts, please review the Azure SDK documentation.
This example shows setting up a service principal access to an Azure Key Vault. This example only covers using RBAC / Access Control (IAM), but you can also use Access Policies to configure access to your Key Vault.
First, within Entra ID, create a service principal by creating an app registration. Once the app registration is created, create a client secret for the app registration and note the client secret value, application (client) ID, and tenant ID.
Navigate to Certificates & Secrets and create a new client secret. Note the value of the client secret as it will not be shown again after you navigate away from the page. Ignore the Secret ID shown on this page as it is not used for PAM provider configuration.
Now, navigate to your Azure Key Vault instance. Under the Access Control (IAM) section, add a new role assignment. You can assign the "Key Vault Secrets User" role, which will allow the service principal to read secrets from the Key Vault. Assign this role to the service principal you created in the previous step.
Note the Key Vault URI from the Key Vault's overview page as you will need it for PAM provider configuration.
Next, add a secret to your Key Vault or use an existing secret. Note the name of the secret as you will need it for PAM provider configuration (Secret ID).
Finally, configure your PAM provider with the appropriate initialization and instance parameters as outlined in the Initialization and Instance Parameters for Extension section. If you are using the Azure-KeyVault-ServicePrincipal PAM provider, you can directly input the service principal credentials in the initialization parameters. If you are using the Azure-KeyVault PAM provider, you can set the service principal credentials as environment variables on your machine or Orchestrator.
The Azure Key Vault PAM Provider is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com.
To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.
The Azure Key Vault PAM Provider is used by Command to resolve PAM-eligible credentials for Universal Orchestrator extensions and for accessing Certificate Authorities. When configured, Command will use the Azure Key Vault PAM Provider to retrieve credentials needed to communicate with the target system. There are two ways to install the Azure Key Vault PAM Provider, and you may elect to use one or both methods:
- Locally on the Keyfactor Command server: PAM credential resolution via the Azure Key Vault PAM Provider will occur on the Keyfactor Command server each time an elegible credential is needed.
- Remotely On Universal Orchestrators: When Jobs are dispatched to Universal Orchestrators, the associated Certificate Store extension assembly will use the Azure Key Vault PAM Provider to resolve eligible PAM credentials.
Before proceeding with installation, you should consider which pattern is best for your requirements and use case.
Important
For the most up-to-date and complete documentation on how to install a PAM provider extension, please visit our product documentation
To install Azure Key Vault PAM Provider, it is recommended you install kfutil. kfutil is a command-line tool that simplifies the process of creating PAM Types in Keyfactor Command.
The Azure Key Vault PAM Provider implements 2 PAM Types. Depending on your use case, you may elect to install one, or all of these PAM Types. An overview for each type is linked below:
Azure-KeyVault
The Azure Key Vault PAM extension requires a Key Vault hosted in Azure (Public / Government / China) or a Key Vault hosted with Azure Key Vault-compatible APIs. To access your Key Vault, permissions will need to be configured to allow your machine to the Key Vault (details found below).
An Azure Key Vault can be easily created and configured within Azure (documentation for how to create a key vault in the Azure Portal can be found here). Each Azure Key Vault will have its own unique endpoint (Vault URI) which is visible from the key vault's Overview section.
New secrets can be added to your Azure Key Vault under the key vault's Secrets section. Documentation on how to create a secret in Azure Portal can be found here.
You can either use Role-Based Access Control (RBAC) or Access Policies to manage access to your Key Vault secrets. Documentation on access policies for secrets can be found here while documentation on RBAC access to secrets can be found here.
If your app is hosted in Azure, follow this guide on how to authenticate your application with your Azure resources.
If your app is not hosted in Azure, you can follow this guide on how to authenticate your non-Azure / on-premise application with your Azure resources.
Initialization Parameters for each defined PAM Provider instance
| Initialization parameter | Display Name | Description |
|---|---|---|
| KeyVaultUri | Azure Key Vault URI | The unique auto generated URI for your Azure KeyVault. |
| AuthorityHost | Authority Host | The authority host to authenticate against. For most use cases, this will simply be public. Please refer to the Authority Hosts section for more information on this parameter. If AZURE_AUTHORITY_HOST is a defined environment variable, it will override this value. |
Instance Parameters for each retrieved secret field
| Instance parameter | Display Name | Description |
|---|---|---|
| SecretId | Secret Name | The name of the secret you assigned in Azure Key Vault. |
Create the required PAM Types in the connected Command platform.
# Azure-KeyVault
kfutil pam types-create -r azure-keyvault-pam -n Azure-KeyVaultFor full API docs please visit our product documentation
Below is the payload to POST to the Keyfactor Command API
{
"Name": "Azure-KeyVault",
"Parameters": [
{
"Name": "KeyVaultUri",
"DisplayName": "Key Vault URI",
"DataType": 1,
"InstanceLevel": false,
"Description": "URI for your Azure Key Vault"
},
{
"Name": "AuthorityHost",
"DisplayName": "Authority Host",
"DataType": 1,
"InstanceLevel": false,
"Description": "Authority host of your Azure infrastructure"
},
{
"Name": "SecretId",
"DisplayName": "Secret ID",
"DataType": 1,
"InstanceLevel": true,
"Description": "Name of your secret in Azure Key Vault"
}
]
}('The entire contents (which includes all library dependencies) should be copied when installing. Refer to the Keyfactor Command documentation on how to install your extension. Modify your manifest.json, updating the InitializationInfo section with the appropriate values.',)
('The entire contents (which includes all library dependencies) should be copied when installing. Refer to the Keyfactor Command documentation on how to install your extension.',)
Azure-KeyVault-ServicePrincipal
The Azure Key Vault PAM extension requires a Key Vault hosted in Azure (Public / Government / China) or a Key Vault hosted with Azure Key Vault-compatible APIs. To access your Key Vault, permissions will need to be configured to allow your machine to the Key Vault (details found below).
An Azure Key Vault can be easily created and configured within Azure (documentation for how to create a key vault in the Azure Portal can be found here). Each Azure Key Vault will have its own unique endpoint (Vault URI) which is visible from the key vault's Overview section.
New secrets can be added to your Azure Key Vault under the key vault's Secrets section. Documentation on how to create a secret in Azure Portal can be found here.
You can either use Role-Based Access Control (RBAC) or Access Policies to manage access to your Key Vault secrets. Documentation on access policies for secrets can be found here while documentation on RBAC access to secrets can be found here.
If your app is hosted in Azure, follow this guide on how to authenticate your application with your Azure resources.
If your app is not hosted in Azure, you can follow this guide on how to authenticate your non-Azure / on-premise application with your Azure resources.
Initialization Parameters for each defined PAM Provider instance
| Initialization parameter | Display Name | Description |
|---|---|---|
| KeyVaultUri | Azure Key Vault URI | The unique auto generated URI for your Azure KeyVault. |
| AuthorityHost | Authority Host | The authority host to authenticate against. For most use cases, this will simply be public. Please refer to the Authority Host section for more information on this parameter. If AZURE_AUTHORITY_HOST is a defined environment variable, it will override this value. |
| TenantId | Tenant ID | The tenant (directory) ID in Azure the Azure Key Vault belongs to. If AZURE_TENANT_ID is a defined environment variable, it will override this value. |
| ClientId | Client ID | The application ID in Microsoft Entra ID. If AZURE_CLIENT_ID is a defined environment variable, it will override this value. |
| ClientSecret | Client Secret | The client secret for the application ID. If AZURE_CLIENT_SECRET is a defined environment variable, it will override this value. |
Instance Parameters for each retrieved secret field
| Instance parameter | Display Name | Description |
|---|---|---|
| SecretId | Secret Name | The name of the secret you assigned in Azure Key Vault. |
Create the required PAM Types in the connected Command platform.
# Azure-KeyVault-ServicePrincipal
kfutil pam types-create -r azure-keyvault-pam -n Azure-KeyVault-ServicePrincipalFor full API docs please visit our product documentation
Below is the payload to POST to the Keyfactor Command API
{
"Name": "Azure-KeyVault-ServicePrincipal",
"Parameters": [
{
"Name": "KeyVaultUri",
"DisplayName": "Key Vault URI",
"DataType": 1,
"InstanceLevel": false,
"Description": "URI for your Azure Key Vault"
},
{
"Name": "AuthorityHost",
"DisplayName": "Authority Host",
"DataType": 1,
"InstanceLevel": false,
"Description": "Authority host of your Azure infrastructure"
},
{
"Name": "TenantId",
"DisplayName": "Tenant ID",
"DataType": 1,
"InstanceLevel": false,
"Description": "Tenant or directory ID in Azure"
},
{
"Name": "ClientId",
"DisplayName": "Client ID",
"DataType": 1,
"InstanceLevel": false,
"Description": "Application ID in Microsoft Entra ID"
},
{
"Name": "ClientSecret",
"DisplayName": "ClientSecret",
"DataType": 2,
"InstanceLevel": false,
"Description": "Client secret for your application ID"
},
{
"Name": "SecretId",
"DisplayName": "Secret ID",
"DataType": 1,
"InstanceLevel": true,
"Description": "Name of your secret in Azure Key Vault"
}
]
}('The entire contents (which includes all library dependencies) should be copied when installing. Refer to the Keyfactor Command documentation on how to install your extension. Copy the ServicePrincipal-manifest.json into your manifest.json file, and then update the InitializationInfo section with the appropriate values.',)
('The entire contents (which includes all library dependencies) should be copied when installing. Refer to the Keyfactor Command documentation on how to install your extension. Copy the ServicePrincipal-manifest.json into your manifest.json file.',)
Azure-KeyVault
-
In the Keyfactor Command Portal, hover over the ⚙️ (settings) icon in the top right corner of the screen and select Priviledged Access Management.
-
Select the Add button to create a new PAM provider. Click the dropdown for Provider Type and select Azure-KeyVault.
[!IMPORTANT] If you're running Keyfactor Command 11+, make sure
Remote Provideris unchecked.
- Populate the fields with the necessary information collected in the requirements section:
| Initialization parameter | Display Name | Description |
|---|---|---|
| KeyVaultUri | Key Vault URI | URI for your Azure Key Vault |
| AuthorityHost | Authority Host | Authority host of your Azure infrastructure |
- Click Save. The PAM provider is now available for use in Keyfactor Command.
Now, when defining Certificate Stores (Locations->Certificate Stores), Azure-KeyVault will be available as a PAM provider option. When defining new Certificate Stores, the secret parameter form will display tabs for Load From Keyfactor Secrets or Load From PAM Provider.
Select the Load From PAM Provider tab, choose the Azure-KeyVault provider from the list of Providers, and populate the fields with the necessary information from the table below:
| Instance parameter | Display Name | Description |
|---|---|---|
| SecretId | Secret ID | Name of your secret in Azure Key Vault |
Keyfactor Command 11+
In Command 11 and greater, before using the Azure-KeyVault PAM type, you must define a Remote PAM Provider in the Command portal.
-
In the Keyfactor Command Portal, hover over the ⚙️ (settings) icon in the top right corner of the screen and select Priviledged Access Management.
-
Select the Add button to create a new PAM provider.
-
Make sure that
Remote Provideris checked. -
Click the dropdown for Provider Type and select Azure-KeyVault.
-
Give the provider a unique name.
-
Click "Save".
When defining Certificate Stores (Locations->Certificate Stores), Azure-KeyVault can be used as a PAM provider. When defining a new Certificate Store, the secret parameter form will display tabs for Load From Keyfactor Secrets or Load From PAM Provider.
Select the Load From PAM Provider tab, choose the Azure-KeyVault provider from the list of Providers, and populate the fields with the necessary information from the table below:
| Instance parameter | Display Name | Description |
|---|---|---|
| SecretId | Secret ID | Name of your secret in Azure Key Vault |
Keyfactor Command 10
When defining Certificate Stores (Locations->Certificate Stores), Azure-KeyVault can be used as a PAM provider.
When entering Secret fields, select the Load From Keyfactor Secrets tab, and populate the Secret Value field with the following JSON object:
{"SecretId": "Name of your secret in Azure Key Vault"}
We recommend creating this JSON object in a text editor, and copying it into the Secret Value field.
Note
Additional information on Azure-KeyVault can be found in the supplemental documentation.
Azure-KeyVault-ServicePrincipal
-
In the Keyfactor Command Portal, hover over the ⚙️ (settings) icon in the top right corner of the screen and select Priviledged Access Management.
-
Select the Add button to create a new PAM provider. Click the dropdown for Provider Type and select Azure-KeyVault-ServicePrincipal.
[!IMPORTANT] If you're running Keyfactor Command 11+, make sure
Remote Provideris unchecked.
- Populate the fields with the necessary information collected in the requirements section:
| Initialization parameter | Display Name | Description |
|---|---|---|
| KeyVaultUri | Key Vault URI | URI for your Azure Key Vault |
| AuthorityHost | Authority Host | Authority host of your Azure infrastructure |
| TenantId | Tenant ID | Tenant or directory ID in Azure |
| ClientId | Client ID | Application ID in Microsoft Entra ID |
| ClientSecret | ClientSecret | Client secret for your application ID |
- Click Save. The PAM provider is now available for use in Keyfactor Command.
Now, when defining Certificate Stores (Locations->Certificate Stores), Azure-KeyVault-ServicePrincipal will be available as a PAM provider option. When defining new Certificate Stores, the secret parameter form will display tabs for Load From Keyfactor Secrets or Load From PAM Provider.
Select the Load From PAM Provider tab, choose the Azure-KeyVault-ServicePrincipal provider from the list of Providers, and populate the fields with the necessary information from the table below:
| Instance parameter | Display Name | Description |
|---|---|---|
| SecretId | Secret ID | Name of your secret in Azure Key Vault |
Keyfactor Command 11+
In Command 11 and greater, before using the Azure-KeyVault-ServicePrincipal PAM type, you must define a Remote PAM Provider in the Command portal.
-
In the Keyfactor Command Portal, hover over the ⚙️ (settings) icon in the top right corner of the screen and select Priviledged Access Management.
-
Select the Add button to create a new PAM provider.
-
Make sure that
Remote Provideris checked. -
Click the dropdown for Provider Type and select Azure-KeyVault-ServicePrincipal.
-
Give the provider a unique name.
-
Click "Save".
When defining Certificate Stores (Locations->Certificate Stores), Azure-KeyVault-ServicePrincipal can be used as a PAM provider. When defining a new Certificate Store, the secret parameter form will display tabs for Load From Keyfactor Secrets or Load From PAM Provider.
Select the Load From PAM Provider tab, choose the Azure-KeyVault-ServicePrincipal provider from the list of Providers, and populate the fields with the necessary information from the table below:
| Instance parameter | Display Name | Description |
|---|---|---|
| SecretId | Secret ID | Name of your secret in Azure Key Vault |
Keyfactor Command 10
When defining Certificate Stores (Locations->Certificate Stores), Azure-KeyVault-ServicePrincipal can be used as a PAM provider.
When entering Secret fields, select the Load From Keyfactor Secrets tab, and populate the Secret Value field with the following JSON object:
{"SecretId": "Name of your secret in Azure Key Vault"}
We recommend creating this JSON object in a text editor, and copying it into the Secret Value field.
Note
Additional information on Azure-KeyVault-ServicePrincipal can be found in the supplemental documentation.
Apache License 2.0, see LICENSE
See all Keyfactor PAM Provider extensions.