Provision Vault Access for an Environment in Azure
Prerequisites
- Ascend Environment with an available App Registration
- Existing Ascend project
- Existing Azure Key Vault (optional)
As part of provisioning an Ascend Environment, a App Registration is created in Azure and is attached to the Ascend Environment. This UMI is used to access the secrets stored in the Azure Key Vault.
Create an Azure Key Vault (optional)
If you don't already have an Azure Key Vault you can create one by following these instructions.
Install App Registration in your tenant
az ad sp create \
--id <assignee>
<assignee> is the principal id of the App Registration created for your Ascend Environment.
Assign role to App Registration
az role assignment create \
--role "Key Vault Secrets Officer" \
--assignee "<assignee>" \
--scope "/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<key-vault-name>"
<assignee> is the principal id of the App Registration created for your Ascend Environment.
<subscription-id> is the subscription id of the Azure subscription where the Key Vault is created.
<resource-group-name> is the resource group name where the Key Vault is created.
<key-vault-name> is the name of the Azure Key Vault.
- Local
- UI
Create the vault file in your Ascend project
Under the vaults/ directory in an Ascend project create the following file:
vault:
azure_key_vault:
vault_name: <key-vault-name>
Access the secret
Secrets stored in your Azure Key Vault can now be accessed in your Ascend project using the following syntax:
.
.
.
api_key: ${secret.ascend_azure_vault.<secret_api_key>}
.
.
.
<secret_api_key> is the name of the secret stored in the Azure Key Vault.
🚧 Under construction 🚧