Configure Azure Key Vault
You can configure an Azure Key Vault to use with Tessera.
The private/public key pairs used by Tessera can be stored in and retrieved from the key vault, without the need to store the keys locally.
The Microsoft Azure documentation provides the information you need to get started.
Create the vault
You can create the Key Vault using either the Azure Portal or the Azure CLI.
Configure the vault to work with Tessera
Azure uses an Active Directory system to grant access to services. It creates an application that you must authorize to use the vault. It provides the credentials to authenticate your Tessera instance to use the key vault.
- Log in to the Azure Portal.
- Select Azure Active Directory from the sidebar.
- Select App registrations, select New application registration, and complete the registration process. Make note of the Application ID.
- Once registered, select Settings, select Keys, and create a new key with a name and expiration rule. Once you save the key, make note of the key value - this is the only opportunity to see this value!
To authorize the newly registered app to use the Key Vault:
- Select All services from the sidebar and select Key vaults.
- Select the vault.
- Select Access policies and Add new.
- Search for and select the newly registered application as the Principal.
- Enable the Get and Set secret permissions.
Enable Tessera to use the vault
Tessera requires three environment variables to be set when using an Azure Key Vault:
AZURE_CLIENT_SECRET- the application registration
AZURE_TENANT_ID- the Azure Active Directory
Each of these values can be retrieved during the application registration process.
cp azure-key-vault-<version>/lib/* tessera-dist/lib/.