Skip to content

Cloud Design Patterns – External Configuration Store Pattern (Using Azure Key Vault)

Storing and updating configuration details in every application instance are maintenance and security nightmare, especially when the servers are sitting in Azure Cloud. This blog discuss about implementing External Configuration Store Pattern for storing configuration details using Azure Key vault, a service provided by azure that helps users to store keys and secrets that are protected by hardware security modules (HSMs) and connect it with a Cloud Service deployed in Azure.

MSDN defines the pattern as follows:

Move configuration information out of the application deployment package to a centralized location. This pattern can provide opportunities for easier management and control of configuration data, and for sharing configuration data across applications and application instances.

The following Implementation that we are going to see is one of the many ways to achieve “External Configuration Store Pattern”.Below is the Architecture Diagram that illustrates the implementation:

The following are the implementation steps that needs to be followed to implement this pattern

Step 1: Setting up the PowerShell ISE

#Enter Credentials for Azure RM

Write-Output “Enter Azure Resource Manager Credentials”

$azureRMCredentials = Add-AzureRmAccount -EnvironmentName $azureEnvironment

# Importing Azure Module

Import-Module Azure

#Associate Publish Settings file.

$pubsettings = $subscriptionDataFile

Import-AzurePublishSettingsFile $pubsettings -Environment $azureEnvironment

#Setting the Subscription

Set-AzureSubscription -SubscriptionName $selectedsubscription -Environment $azureEnvironment

Select-AzureRmSubscription -SubscriptionId ‘[Provide The Subscription Id here]

Set-AzureRmContext -SubscriptionId ‘[Provide The Subscription Id here]

# Creating the Resource Group

$resourceGroupExist = Get-AzureRmResourceGroup -Name $resourceGroupName -ErrorAction Continue

if($resourceGroupExist -eq $null) { New-AzureRMResourceGroup –Name $resourceGroupName -Location $location }

Step 2: Creating a key vault:

The first step is to create the key vault in the Region we need it. Below is the PowerShell script that can be used to create the key vault

# Create Key Vault instance

if($keyvalutName -eq ”)


Write-Output “$(Get-Date -f $timeStampFormat) – Key vault name cannot be null”


elseif($azureEnvironment -eq ‘AzureChinaCloud’ -and $keyvalutName -ne ”)

Write-Output “$(Get-Date -f $timeStampFormat) – AzureChinaCloud doesn’t support Key Vault services and hence skipping key vault creation step”




write-progress -id 1 -activity “Starting New Key vault creation and app AD registration” -Status “Started”

# Write-Output “$(Get-Date -f $timeStampFormat) – Enter Azure Resource Manager Credentials to create a Key Vault”

# $azureRMCredentials = Add-AzureRmAccount -EnvironmentName $azureEnvironment

Write-Output “$(Get-Date -f $timeStampFormat) – Creating New Azure Key Vault with the name $keyvalutName.”

$result = Get-AzureRmKeyVault -VaultName $keyvalutName -ErrorAction SilentlyContinue

if($result -eq $null){ $result = New-AzureRmKeyVault -VaultName $keyvalutName -ResourceGroupName $resourceGroupName -Location $location }



if($result -ne $null)


write-progress “keyvault created successfully, details: ” $result

Write-Output “$(Get-Date -f $timeStampFormat) – key vault creation is successful.”

Step 3: Creating an App in the AD to use key vault :

#Creation new Application in Azure AD

write-progress “Retrieving Keyvault certificate.”

[string]$certificateFilePath = $keyVaultCertificate

$certpath = (Resolve-Path $certificateFilePath).Path

$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate($certpath, $keyVaultCertificatePwd)

#$thumbprint = (Get-PfxCertificate -FilePath $certpath).Thumbprint

$keyValue = [System.Convert]::ToBase64String($certificate.GetRawCertData())

$startDate = $certificate.GetEffectiveDateString()

$endDate = $certificate.GetExpirationDateString()

# Registering new application in Azure Active Directory

$app = Get-AzureRmADApplication -DisplayNameStartWith $newAzureADApplication

Write-Output ‘Printing AD Application object’

Write-Output $app

if($app -eq $null) { $app = New-AzureRmADApplication -DisplayName $newAzureADApplication -HomePage $newAzureADAppURL -IdentifierUris $newAzureADAppURL -KeyValue $keyValue -KeyType

“AsymmetricX509Cert” -KeyUsage “Verify” -StartDate $startDate -EndDate $endDate }

#-KeyValue $keyValue -KeyType “AsymmetricX509Cert” -KeyUsage “Verify” -StartDate $startDate -EndDate $endDate

$ServicePrincipalName = Get-AzureRmADServicePrincipal -ServicePrincipalName $app.ApplicationId

Write-Output ‘Printing Service Principal object’

Write-Output $ServicePrincipalName

if ($ServicePrincipalName -eq $null) { $ServicePrincipalName = New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId }

Write-Output ‘Printing Service Principal object’

Write-Output $ServicePrincipalName

# Setting up permissions to the keys.

Set-AzureRmKeyVaultAccessPolicy -VaultName $keyvalutName -ServicePrincipalName $ServicePrincipalName.ServicePrincipalName -PermissionsToKeys ‘All’ -PassThru

# Setting up permissions to the secrets

Set-AzureRmKeyVaultAccessPolicy -VaultName $keyvalutName -ServicePrincipalName $ServicePrincipalName.ServicePrincipalName -PermissionsToSecrets ‘All’ -PassThru

Write-Output “keyvault URL: https://$

Write-Output “Keyvault client id: ” $app.ApplicationId

Write-Output “Keyvault Certificate thrumprint: ” (Get-PfxCertificate -FilePath $certpath).Thumbprint
Write-Output “$(Get-Date -f $timeStampFormat) – key vault creation failed. Error while creating Keyvault.”



write-progress -id 1 -activity “Key vault creation and App AD registeration successfully completed.” -completed -Status “Complete”

Step 4:Inserting Secrets into the Key vault:

Next step is to add a list of Key/Secrets in to the Key vault. The following is the PowerShell that can be used to insert the keys into the Key vault that was created.

$secretvalue = ConvertTo-SecureString ‘Pa$$w0rd’ -AsPlainText -Force

$secret = Set-AzureKeyVaultSecret -VaultName ‘[KeyvaultName]’ -Name ‘[SecretName]’ -SecretValue $secretvalue


$SecretUrl will provide the Key Vault Url to be used in the application. It there are more than one secrets, The secrets can be uploaded from a csv file through the PowerShell script.

Step 5: Configure the Cloud application to Access the key vault:

The last step is to use the certificate and the Application Id created during the Key vault App in the AD to access the application.

<?xml version=”1.0″ encoding=”utf-8″?>

<ServiceConfiguration serviceName=”CloudServiceName” xmlns=”” osFamily=”4″ osVersion=”*” schemaVersion=”2015-04.2.6″>

<Role name=”CloudServiceName”>

<Instances count=”1″ />


<Setting name=”KeyVault_VaultUrl” value=”” />

<Setting name=”KeyVault_ADClientId” value=”cbe66691-fb10-45ba-a225-a8f73c87459e” />

<Setting name=”KeyVault_ADClientCertificateThumbprint” value=”XXXXXXXXXXEA3399XXXXX06CF1DF87XXXXXXXXXX” />

<Setting name=”KeyVault_CacheExpirationDurationInSeconds” value=”86400″ />



<Certificate name=”Key Vault Certificate” thumbprint=”XXXXXXXXXXEA3399XXXXX06CF1DF87XXXXXXXXXX” thumbprintAlgorithm=”sha1″ />

<Certificate name=”Cloud Service Certificate” thumbprint=”XXXXXXXXXX8B8652F4EXXXXX6FB3BBXXXXXXXXXX” thumbprintAlgorithm=”sha1″ />




Step 6:Accessing the Secrets from the application:

Use the settings present in the cloud configuration to access the secrets present in the Key Vault in the application.Please note that the local cache can also be used to cache the configuration locally to reduce the calls to the external store.If there is more than one cloud service using the same secrets each service can use the same settings or create separate Key vault Ad app for accessing the Key vault.


Published inAzureCloud Design PatternsKey VaultPowerShellProgrammingSoftware Development

One Comment

  1. saravana saravana

    Nice article to know the pattern on azure key vault.

Leave a Reply

Your email address will not be published. Required fields are marked *