BLOG >

CCKM – Azure KeyVaults Integration

By Style Sync
| Published on
f72b5-keyvault

Thales Cloud Key Management can help you manage all your cloud keys, secrets and certificates across your hybrid and multi-cloud networks. Let’s learn how to integrate CCKM with Azure KeyVaults and how to automate the key management life cycle using CTM APIs.

In this blog post, I will discuss how your DevOps can utilize Thales CipherTrust manager to generate and store a secret key on Azure KeyVaults.

To automate the generation and storage of the secret key, I will take you through all the CTM API commands, and their sequence.

So let’s get started with reviewing the CipherTrust Cloud Key management architecture

Architecture

There are two deployment options of the Ciphertrust Manager; Cloud base and On-Premises. The following diagram shows the cloud deployment of the CTM hosted on Azure cloud.

If you choose to keep your CTM on premises, but also manage your Azure or cloud keys on premises, then the deployment option illustrated below can be used.

Prepare Azure App Registrations

To integrate our CTM with Azure, we have to create an App_Registration by browsing to Azure AD – App Registration and then select the + New registration option; next, provide the following details:

  1. Name
  2. Supported account type: Multitenant

Press Save

Then from the menu on the left, browse to API Permissions and select + Add Permission – Microsoft Graph – Delegated Permissions and select the following Graph Permissions:

  1. Subscription.Read.All
  2. User.Read

Press Save

After those steps above are completed, browse to the left menu and find Certificates & Secrets + New Client Secret; create a new secret and copy to a text file. (Note: After you leave this window, you will no longer be able to read the secret key).

Finally, let’s get the TenantID and Client ID. Browse to the Overview option at the left menu and record the IDs:

  1. Application (client) ID
  2. Directory (tenant) ID

Token

To be able to use the CTM APIs, you must generate a token to be used with all the required commands to authenticate and execute the API request. You can generate a token by running the following command: 

curl --location 'https://{{CPL_Manager_Address}}/api/v1/auth/tokens/' \
--header 'Content-Type: application/json' \
--form 'username="admin"' \
--form 'password="admin"'

The command above will return the token key as as shown in the figure below:

{
    "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.",
    "duration": 300,
    "token_type": "Bearer"
}

Copy the jwt value to a text file. This token is required to run all the requests from now on.

Please note: By default, the TTL (Time To Live) of the CTM token is five minutes.

Create an Azure Connection

After we successfully retrieve the token, we can safely connect and interact with the CPL Manager. This first step is to create an Azure Connection; with this connection, the CTM will connect to the Azure subscription to retrieve and interact with the Azure KeyVaults.

Note: The Azure Connection operation required only once. It is easier to create the connection using the CTM interface by browsing to: Access Management -> Connections -> Add Connection, fill in the required Client ID, Tenant ID and the Client Secret..

Run the following API command to create the Azure_Connection:

curl --location 'https://{CTM_Address}/api/v1/connectionmgmt/services/azure/connections' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.' \
--data '{
    "name": "Squawk365_Azure",
    "products": [
        "cckm"
    ],
    "meta": {
        "color": "blue"
    },
    "client_secret": "GsZ8Q~ztpjkj1qWYaGi5SczjgjhjkDzBA~jgXwaCr",
    "cloud_name": "AzureCloud",
    "client_id": "9fe7u44f-9eba-470b-a63dki-68877aa39908b",
    "tenant_id": "9c22653s-43dc-42c8-b98cki-202ff55d6138"
}'

Get Connections

This API command will retrieve all the CTM configured connections; from there, you can select the connection you require.

curl --location 'https://{CTM_Address}/api/v1/connectionmgmt/services/azure/connections' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'

Get Azure Subscription

Retrieve the Azure Subscription name and ID using the following command:

curl --location 'https://{CTM_Address}/api/v1/cckm/azure/get-subscriptions' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.' \
--data '{
    "connection": "Squawk365_Azure"

Note: In the above example, we are interested only in the subscription associated with the Squawk365_Azure connection.

List Azure Vaults

The last command we need to create the secret is to list the name of all the Azure KeyVaults; then we can use the right Vault name to connect and generate the secret key.

Note: In the following example, we are interested only in the connection associated with the Squawk365_Azure connection, and the SubscriptionID we retrieved from the previous get-subscriptions command.

curl --location 'https://{CTM_Address}/api/v1/cckm/azure/get-vaults' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.' \
--data '{
    "connection": "Squawk365_Azure",
    "subscription_id": "c3433-kjkjk-4fdfdf-dfsf8df",
    "limit": 10

Create Azure Secret

After we have the KeyVault ID, Name, and subscription, we can generate a secret key by running the following command:

curl --location 'https://{CTM_Address}/api/v1/cckm/azure/secrets' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.' \
--data '{
  "secret_name": "postsecret",
  "key_vault": "ThalesHalVault::c3433-kjkjk-4fdfdf-dfsf8df",
  "azure_param": {
    "value": "password"
  }
}'

Note: the KeyVault name and the Subscription ID have combined syntax; these two parameters are retrieved from the Get_vaults and Get_subscription API commands. The secret name is the name of the key, which can be any. And finally, the value is the secret itself.

Summary

The example described in this blog demonstrates how to utilize the correct CTM API requests to create, retrieve and generate Azure Key Vault secrets. The commands used in the example will help you with the flow needed to automate the process, instead of running all the commands one by one. If you are interested in the complete JSON flow file, then add your comment below, and I will share the Postman flows file for you to try.

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to Our Newsletter

Table of Contents

Related Insights

Glossary test
Why Companies Should Consider Upgrading to Windows Server 2025 Hyper-V
Why Containers Are the Future: A CIO’s Perspective