Storing Secrets in Azure Key Vault

Deltix Execution Server (Ember) offers integration with Azure Key Vault for managing secrets. To configure Ember to retrieve secrets from the Azure Key Vault the user will need to do the following:

Register application with Azure and obtain its client ID. Create client secret.
Assign Permissions to allow your application to access Key Vault with this client secret.
Using Azure Key Vault web console or CLI add your secrets.
Modify ember.conf to include Azure configuration and replace each secret with Azure URI pointing to the location of the corresponding secret in the Key Vault as shown below.
Restart Ember.

Azure configuration in ember.conf

Specify Azure Key Vault configuration in ember.conf file under secrets.azure. Set address to Vault URI. Optionally include: clientId, clientSecret (your application ID and secret) and tenantId (your Azure Directory ID).

Here is an example:

secrets {
  azure {
    address: "https://my-vault.vault.azure.net"
    clientId : "****"
    clientSecret : "****"
    tenantId : "****"
  }
}

The last three parameters: clientId, clientSecret, and tenantId can be specified using System environment variables. To do that, maker sure these attribute are not included in ember.conf and set the following environment variables instead: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID.

When clientSecret is stored in ember.conf file its value should be encrypted using mangle tool. To encrypt the secret value use the following command:

export EMBER_HOME=<ember_home>
/deltix/ember/bin/mangle <clientSecret>

Secrets configuration in ember.conf

Specify secret values stored in the Azure Key Vault in ember.conf in this URI form:

azure:/<secret-key>

When a secret is in the form of URI, Ember will look for it in configured Azure Key Vault and fail if it is not found.

For secrets stored in Azure we recommend using secret names that indicate corresponding config entity in Ember config. For instance, all the KRAKEN connector secrets could be stored in Azure with the same prefix azure:/deltix-connectors-KRAKEN- which is dash-separated string constructed from their path in 'ember.conf'. So Ember config with secrets stored in Azure Key Vault would look like this:

...
connectors: {
    KRAKEN: {
      settings : {
        apiKey = "azure:/deltix-connectors-KRAKEN-apiKey"
        apiSecret = "azure:/deltix-connectors-KRAKEN-apiSecret"

        extraApiKeys = [
            {
                apiKey = "azure:/deltix-connectors-KRAKEN-extraApiKeys.0.apiKey"
                apiSecret = "azure:/deltix-connectors-KRAKEN-extraApiKeys.0.apiSecret"
            },
            {
                apiKey = "azure:/deltix-connectors-KRAKEN-extraApiKeys.1.apiKey"
                apiSecret = "azure:/deltix-connectors-KRAKEN-extraApiKeys.1.apiSecret"
            }
        ]
        syncApiKeys = [
            {
                apiKey = "azure:/deltix-connectors-KRAKEN-syncApiKeys.0.apiKey"
                apiSecret = "azure:/deltix-connectors-KRAKEN-syncApiKeys.0.apiSecret"
            },
            {
                apiKey = "azure:/deltix-connectors-KRAKEN-syncApiKeys.1.apiKey"
                apiSecret = "azure:/deltix-connectors-KRAKEN-syncApiKeys.1.apiSecret"
            }
        ]
...

Storing Secrets in Azure Key Vault

Azure configuration in ember.conf​

Secrets configuration in ember.conf​

Azure configuration in ember.conf

Secrets configuration in ember.conf