Devolutions ForumDevolutions Forum

Interactive web login with Azure Key Vault

Backlog

Interactive web login with Azure Key Vault

0 vote

avatar
Aussie Davo

Would it be possible to add a feature to "Prompt for credentials" for Azure Key Vault, similar to an Azure Bastion VPN/Tunnel/Gateway Entry?

88146213-e470-4192-9c90-dfc857fdbe44

The same way that the Azure CLI works when using an interactive login using the "az login" command before listing and showing secrets :

az login
az account set --subscription <subscriptionId>
az keyvault secret list --vault-name <keyVaultName>
az keyvault secret show --vault-name <keyVaultName> --name <secretName>


This would then not require an Azure AD App Registration with Client ID and Secret. This would simplify Role Based Access Control to the Azure Key Vault, as users would be given the relevant permissions directly within the Key Vault. Instead of relying on the the permissions of the App Registration, which multiple users would be using.

It would also be very helpful to include an option for an HTTP Proxy together with authentication, the same as the Azure Bastion VPN/Tunnel/Gateway Entry:

d24dd033-7828-442a-aa18-2b1d3ff4f5e5

Looking forward to hearing from you.

Kind regards,
Aussie Davo

d24dd033-7828-442a-aa18-2b1d3ff4f5e5.png

88146213-e470-4192-9c90-dfc857fdbe44.png

All Comments (8)

avatar
Hubert Mireault

Hello,

Thank you for the request. From what we know it should be possible to allow different login methods. We're not sure about proxy settings yet, we will have to look into it. I have opened an internal ticket.

Regards,

Hubert Mireault

avatar
Aussie Davo

That's great news! Thanks Hubert.

avatar
Aussie Davo

Hi Hubert,
Do you have any rough idea of when we can expect this functionality to be released? Eagerly awaiting :)

avatar
Hubert Mireault

Hello,

At the moment I can't give you a good estimate. Our roadmap for 2023.3 (coming out this fall) is pretty tight already, but we will see if we can squeeze this in.

Regards,

Hubert Mireault

avatar
jonnyhjortland

We are using Azure KeyVaults extensively when deploying resources with Infrastructure as Code. Creating virtual machine passwords for admins are done in the Pipeline and put in a KeyVault. We really would like to be able to reference these secrets in RDM. Using a service principal is not a valid solution as all our accesses are controlled with Azure RBAC and personal Entra ID accounts. I believe this would be the same requirement for all organizations needing access to secrets in Azure KeyVaults.

This has been a request for some years. When could you get this into your roadmap?

avatar
Hubert Mireault

Hello,

Thank you for your feedback on this request. As you might expect, we receive a lot of feature requests and we have to choose where to put our development efforts. Seeing that there's more interest in a feature is a great way to help us prioritize development. I've pushed this internal ticket higher in our priorities so we can hopefully address it sooner.

Regards,

Hubert Mireault

avatar
jonnyhjortland

Thank you for quick feedback.

Seeing that you are using the Entra ID authentication mechanism for the usage of Azure Bastion (VPN) and the Azure Virtual Machine Sync, reusing this for Azure KeyVault access shouldn't be that much work presumably.

avatar
Hubert Mireault

It depends what kinds of APIs are accessible, but I'd like to assume that all the Azure APIs would allow for this type of authentication. I've not directly checked but it's a good point that we most likely have similar code to achieve this for the synchronizer entry.

Regards,

Hubert Mireault