Accessing Key Vault secrets securely

Question

I wrote a program in Powershell which runs on a schedule in an Azure Functions app. To avoid hard-coded credentials, I created an Azure Key Vault to store the secrets. I created a managed identity in the Azure Function, created the secrets in Azure Key Vault and then created application settings in Azure Function with the URL to point at the secrets in Azure Key Vault. The program references the application secrets (APPSETTING) and behaves as expected:

    $uSecret = $ENV:APPSETTING_SecretUsername 
    $pSecret = $ENV:APPSETTING_SecretPassword 
    $sasSecret = $ENV:APPSETTING_SecretSAS
    $securePassword = ConvertTo-SecureString -String $pSecret -AsPlainText -Force
    $UserCredential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $uSecret, $securePassword
    
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

However I noticed that if I run the same program on my local computer via Windows Powershell (run as Administrator) and with the above lines amended as follows, the program runs fine - meaning it can access Office 365 and the data lake storage:

    $uSecret = (Get-AzKeyVaultSecret -VaultName 'auditkeyvault' -Name 'SecretUsername').SecretValueText 
    $pSecret = (Get-AzKeyVaultSecret -VaultName 'auditkeyvault' -Name 'SecretPassword').SecretValueText 
    $sasSecret = (Get-AzKeyVaultSecret -VaultName 'auditkeyvault' -Name 'SecretSAS').SecretValueText 
    $securePassword = ConvertTo-SecureString -String $pSecret -AsPlainText -Force
    $UserCredential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $uSecret, $securePassword
    
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Why am I able to run this locally on my computer? I would have expected only the Azure Functions app to be able to retrieve the secrets from Azure Key Vault and that any other resource such as my local computer would be prevented?

Isn't the whole purpose of creating a managed identity for the Azure Function with the specific URL, so that it could identify itself as the authenticated/authorised resource to access the keys? Yet when I run the program locally above with (Get-AzKeyVaultSecret -VaultName 'auditkeyvault' -Name 'SecretUsername').SecretValueText, my program is still able to retrieve the keys and run!

Can someone please shed some light on why this is happening or if I have misunderstood something?

Many thanks!

(PS. This is all running on a trial instance with sample data, so no real data is compromised at the moment)

Answer 1

The purpose of the keyvault is keep your secrets securely.

Any authorized credentials (through the Keyvault access policies) can access those secrets through the REST api.

To access the secrets, you need:

• An access policy in the keyvault that allow you sufficient access
• To be authenticated with an authorized account

Get-AzKeyVaultSecret is just another way to retrieve secret.

It work on your computer because your session is still authenticated and your AzureAd account have read access to that keyvault secret.

You can effectively use any Az command without re-authenticating everytime. Call Get-AzContext to get the current context details.

Connect-AzAccount do save your access tokens and other relevant informations when used automatically at the following location: C:\Users\MAK\.Azure\AzureRmContext.json

If you were to disconnect first Disconnect-AzAccount and trying to get the secret again without re-authenticating, then it would fail.

Note If you are not comfortable with the Az module saving your tokens on disk, you can disable the default behavior through Disable-AzContextAutosave