Integrate Azure Key Vault with your Teams app - OfficeDev/TeamsFx GitHub Wiki

Azure Key Vault is a secure storage solution to manage secrets, keys and certificates. It can be used to centralize application secrets, securely store secrets and keys, monitor access and use as well as simplify administration of application secrets.

Azure Key Vault provision and configuration

Teams Toolkit orchestrates cloud service provision and configuration with an infrastructure as code approach using a Domain Specific Language called Bicep.

Follow these steps to provision a new Azure Key Vault service with Teams Toolkit:

1. Step 1: Create a new bicep file
2. Step 2: Update existing bicep file
3. Step 3: Execute provision command

Step 1: Create a new bicep file

Create a bicep file called keyVault.bicep under infra folder with below content for provisioning Aszure Key Vault service.

param keyVaultName string
param secretName string
@secure()
param secret string
param identityObjectId string

var tenantId = subscription().tenantId


resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = {
  name: keyVaultName
  location: resourceGroup().location
  properties: {
    tenantId: tenantId
    accessPolicies: []
    sku: {
      name: 'standard'
      family: 'A'
    }
  }
}

resource keyVaultAccessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
  name: '${keyVaultName}/add'
  properties: {
    accessPolicies: [
      {
        tenantId: tenantId
        objectId: identityObjectId
        permissions: {
          secrets: [
            'get'
          ]
        }
      }
    ]
  }
  dependsOn: [
    keyVault
  ]
}

resource secretKv 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
  parent: keyVault
  name: secretName
  properties: {
    value: secret
  }
}

Step 2: Update existing bicep file

Update existing azure.bicep file under infra folder.

1. Add below content for provisioning user-assigned managed identity and Azure Key Vault, and update <The secret to be stored in Key Vault>:

   var keyVaultName = resourceBaseName
   var secretName = 'secret'
   var secretReference = '@Microsoft.KeyVault(VaultName=${keyVaultName};SecretName=${secretName})'
   
   resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
   name: resourceBaseName
   location: resourceGroup().location
   }
   
   module keyVaultProvision './keyVault.bicep' = {
   name: 'keyVaultProvision'
   params: {
       keyVaultName: keyVaultName
       secretName: secretName
       secret: <The secret to be stored in Key Vault>
       identityObjectId: managedIdentity.properties.principalId
   }
   }
   

2. Update the existing resource for accessing Azure Key Vault.

   E.g. If it is a Bot or Function project hosted on Azure Web App, you need to update the bicep content of webApp:

   1. Add below content under resource webApp:

      identity: {
          type: 'UserAssigned'
          userAssignedIdentities: {
          '${managedIdentity.id}': {}
          }
      }
      dependsOn: [ keyVaultProvision ]
      

   2. Add below content under properties of resource webApp:

      keyVaultReferenceIdentity: managedIdentity.id
      

3. Update the secret value to Key Vault secret reference. E.g. If it is a Bot project, update for the value of BOT_PASSWORD under appSettings of resource webApp:

   {
       name: 'BOT_PASSWORD'
       value: secretReference
   }
   

Step 3: Execute provision command

Follow this document to provision cloud resources.