Provision Azure Key Vault
Prerequisites​
- Ascend Environment
- Azure Key Vault (or permission to create one)
- Ascend Project
Overview​
When you provision an Ascend Environment, a dedicated App Registration is created in Azure and attached to your Ascend Environment. This App Registration is used to securely access secrets stored in your Azure Key Vault.
Set up Azure Key Vault (Optional)​
If you don't already have an Azure Key Vault, you can create one by following Microsoft's official documentation.
Register the App Registration in your Azure tenant​
az ad sp create \
--id <tenant-id>
Replace <tenant-id> with your Azure tenant ID. This command installs the service principal for the Ascend Environment from Ascend's tenant into your tenant, allowing it to access your Azure Key Vault.
Grant Key Vault permissions to your App Registration​
az role assignment create \
--role "Key Vault Secrets Officer" \
--assignee "<assignee>" \
--scope "/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<key-vault-name>"
Where:
<assignee>is the principal ID of your Ascend Environment's App Registration<subscription-id>is your Azure subscription ID<resource-group-name>is the resource group containing your Key Vault<key-vault-name>is the name of your Azure Key Vault
Configure the Vault in your Ascend Project​
Create the following YAML file in the vaults/ directory of your Ascend project:
vault:
azure_key_vault:
vault_name: <key-vault-name>
You can now reference secrets from your Azure Key Vault in your Ascend Components using the following syntax:
component:
configuration:
api_key: ${vaults.ascend_azure_vault.<secret_name>}
Replace <secret_name> with the actual name of the secret stored in your Azure Key Vault.
Next steps​
After provisioning Azure Key Vault for your Project, you can also configure it as an Instance or Environment vault:
Setting up vault access at these levels provides more flexibility in managing secrets.