Azure Key Vault
Document Rails features support for remote signing using Azure Key Vault.
In this scenario, all cryptographic operations are performed remotely, using Azure's infrastructure.
This allows Document Rails to issue credentials without having direct access to the cryptographic key material.
Authenticating with Azure
The following authentication schemas for Azure Key Vault are supported:
-
Client secret
- Tenant ID
- Client ID
- Client secret
- Authority host (optional)
-
Workload identity
- Tenant ID
- Client ID
- Access token
- Authority host (optional)
-
Virtual machine managed identity
- Authority host (optional)
-
App service managed identity
- Authority host (optional)
Note
Managed identity authentication may not be available on all Document Rails instances.
Contact Vaultie for more information.
Configuring the vault
To identify which key to use as a signing key, you have to provide the following information:
-
vault_url- Azure Key Vault tenancy URL (e.g.https://example.vault.azure.net). -
name- Key name. -
version- Key version. If not provided, the latest version if used. -
signature_algorithm- Signature algorithm identifier.
Supported signature algorithm identifiers:
| Description | Identifier |
|---|---|
| ECDSA (P-256) | ES256 |
Examples
import { createKey, AzureAuthenticationType, KeyType } from "@vaultie/document-rails";
const response = await createKey(
client,
accessToken,
organizationId,
{
key: {
type: KeyType.Azure,
authentication: {
type: AzureAuthenticationType.VirtualMachineManagedIdentity,
},
vault_url: "https://testing.vault.azure.net/objectType/objectName/1",
name: "testkey",
version: "16d0b2d96ab34c2098864ee396dffc05",
signature_algorithm: "ES256",
},
certificate: {
type: KeyType.Azure,
authentication: {
type: AzureAuthenticationType.VirtualMachineManagedIdentity,
},
vault_url: "https://testing.vault.azure.net/objectType/objectName/1",
name: "testcert",
version: "bb066f61702345fa8be48761e32c89f8",
},
}
);