Creating ESA Credentials
Policy Agent Function requires ESA credentials to be provided as one of the two options:
- ESA credentials stored as secrets in Azure Key Vault
- ESA credentials provided by a custom Azure Function App )
Note
The username and password of the ESA user requires role with DPS Admin and Export Certificates permissions. Security Administrator is one of the predefined roles which contains the above permissions, however for separation of duties it is recommended to create custom role.ESA Credentials In Azure Key Vault
Policy Agent Function uses Key Vault as secure store for sensitive information like ESA username and password.
Create ESA credentials secrets:
Navigate to Key Vault.
Under Objects, select Secrets > Generate/import.
Select Manual, then type in valid json as shown in the example for Secret value.
{"username": "<policy_export_user>", "password": "<password>"}Select Create.
Navigate to the secret details in Key Vault by selecting the newly created secret.
Inspect the current secret version properties by selecting the current version.
Copy the Secret Identifier value. For example
https://<myvault>.vault.azure.net/secrets/<mysecret>/abcdefgxyz8edef595adaehij0d99123.Record the Secret Identifier for later use.
ESA Credentials From Custom Azure Function App
Policy Agent Function requests ESA username and password from a custom Azure Function App, further referred to as ESA Credentials function. This method may be used to get the username and password from external vaults.
There are four options for configuring Policy Agent authorization with ESA Credentials function: Option 1, Option 2, Option 3 and Option 4. Only one option is expected to be configured at a time.
Create ESA credentials function:
Create Azure HTTP triggered ESA Credentials function using any supported runtime.
a. There is no input needed.
b. The function must accept an HTTP POST request.
c. The function must return the following response schema
``` response: type: json object properties: username: string password: string ``` For example, ``` {"username": "admin", "password": "Password1234"} ```Configure Policy Agent to use ESA Credentials function app.
a. Navigate to HTTP triggered function to open ‘Code + Test’ page.
b. Under ‘Code + Test’ tab on ‘Code + Test’ page select ‘Resource JSON’.
c. In ‘Resource JSON’ blade record the value of ‘invoke_url_template’ property.
**'invoke_url_template'** property is located towards the bottom of resource json. URL must be in the form of 'https://[function-app-name].azurewebsites.[net|us]/api/[http-trigger-name]'. **ESA Credentials function URL (EsaCredentialsFnUrl):__________**d. Navigate to Policy Agent function app.
e. Expand Settings menu item.
f. Select Environment Variables menu item.
g. Click Add button.
h. For Name use PTY_ESA_CREDENTIALS_FUNCTION.
i. For Value use ESA Credentials function URL (EsaCredentialsFnUrl) recorded in previous steps.
j. Hit Apply in Add/Edit application setting blade.
k. Hit Apply in App Settings tab.
Configure Authorization Option 1: Function Key Option 2: Key Vault Option 3: System-assigned Identity Option 4: User-assigned Identity
Authorization Option 1: Configure Policy Agent to access ESA Credentials function using ESA Credentials function key from environment variables.
Warning
Function keys provide a good way for unwanted access mitigation during development and prototyping, however a better approach is to make authorization decisions based on identity. Review Option 3 and Option 4 below.Configure HTTP trigger of ESA Credentials function with authentication level FUNCTION.
Navigate to ESA Credentials function app.
Expand Functions menu item.
Select App Keys.
Record default key value.
ESA Credentials function key (EsaCredentialsFnKey):_______________
Navigate to Policy Agent function app.
Expand Settings menu item.
Select Environment Variables menu item.
Click Add button.
For Name use PTY_ESA_CREDENTIALS_FUNCTION_KEY.
For Value use ESA Credentials function key (EsaCredentialsFnKey) recorded in previous steps.
Hit Apply in Add/Edit application setting blade.
Hit Apply in App Settings tab.
Authorization Option 2: Configure Policy Agent to access ESA Credentials function using ESA Credentials function key from Azure Key Vault.
Warning
Function keys provide a good way for unwanted access mitigation during development and prototyping, however a better approach is to make authorization decisions based on identity. Review Option 3 and Option 4 below.Configure HTTP trigger of ESA Credentials function with authentication level FUNCTION.
Navigate to ESA Credentials function app.
Expand Functions menu item.
Select App Keys.
Record default key value.
ESA Credentials function key (EsaCredentialsFnKey):_______________
Navigate to Key Vault.
Under Objects, select Secrets > Generate/import.
Select Manual, type in secret name and use ESA Credentials function key value recorded in previous steps (EsaCredentialsFnKey) for Secret value.
Select Create.
Record Key Vault secret name.
ESA Credentials function key secret name (EsaCredentialsFnKeySecretName):_______________
Navigate to Policy Agent function app.
Expand Settings menu item.
Select Environment Variables menu item.
Click Add button.
For Name use PTY_ESA_CREDENTIALS_FUNCTION_KEY_SECRET.
For Value use ESA Credentials function key secret name (EsaCredentialsFnKeySecretName) recorded in previous steps.
Hit Apply in Add/Edit application setting blade.
Hit Apply in App Settings tab.
Authorization Option 3: Configure ESA Credentials authentication provider to authorize Policy Agent system-assigned identity.
Navigate to Policy Agent function app
Expand Settings menu item
Select Identity
Select System assigned tab
Status should already be On
Other Status indicates Policy Agent was installed without system-assigned identity. Before proceeding any further you need to either install Policy Agent with system-assigned identity or follow Option 4 which describes configuration steps for Policy Agent installed with user-assigned managed identity.
Copy Object (principal) ID
Navigate to ESA Credentials function app
Expand Settings menu item
Select Authentication
Select Add identity provider
Select Microsoft in identity provider dropdown
For App registration type provide details of your choice
For Issuer URL accept the default value
For Client application requirement select Allow requests from any application
Access will be limited to only the Policy Agent identity in the next step
For Identity requirement select Allow requests from specific identities
For Allowed identities add Object (principal) ID copied in previous step
For Restrict access select Require authentication
For Unauthenticated requests select HTTP 401 Unauthorized: recommended for APIs
Check Token store
Select Add
Click OK to apply constraint
Click Save
Navigate to Application of Microsoft identity provider
A link to identity providers application is available under Authentication menu item of ESA Credentials function
Expand Manage menu item
Select Expose an API
Copy Application ID URI or select Add if it does not exist and Save to accept the default value
Record Application ID URI of identity provider
ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri):_______________
Navigate to Policy Agent function app.
Expand Settings menu item.
Select Environment Variables menu item.
Click Add button.
For Name use PTY_ESA_CREDENTIALS_FUNCTION_SCOPE.
For Value use ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri) recorded in previous steps appended with /.default
Hit Apply in Add/Edit application setting blade.
Hit Apply in App Settings tab.
Authorization Option 4: Configure ESA Credentials authentication provider to authorize Policy Agent user-assigned identity.
Navigate to Policy Agent function app
Expand Settings menu item
Select Identity
Select User assigned tab
User-assigned identity should already be provided. Missing user-assigned identity indicates Policy Agent was installed without user-assigned identity. Before proceeding any further you need to either install Policy Agent with user-assigned identity or follow Option 3 which describes configuration steps for Policy Agent installed with system-assigned managed identity.
Copy Client ID
Copy Object (principal) ID
Navigate to ESA Credentials function app
Expand Settings menu item
Select Authentication
Select Add identity provider
Select Microsoft in identity provider dropdown
For App registration type provide details of your choice
For Issuer URL accept the default value
For Client application requirement select Allow requests from specific client applications
For Allowed client applications add Client ID copied in previous step
Click OK to apply constraint
For Identity requirement select Allow requests from specific identities
For Allowed identities add Object (principal) ID copied in previous step
Click OK to apply constraint
Click Save
Navigate to Application of Microsoft identity provider
A link to identity providers application is available under Authentication menu item of ESA Credentials function
Expand Manage menu item
Select Expose an API
Copy Application ID URI or select Add if it does not exist and Save to accept the default value
Record Application ID URI of identity provider
ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri):_______________
Navigate to Policy Agent function app.
Expand Settings menu item.
Select Environment Variables menu item.
Click Add button.
For Name use PTY_ESA_CREDENTIALS_FUNCTION_SCOPE.
For Value use ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri) recorded in previous steps appended with /.default
Hit Apply in Add/Edit application setting blade.
Hit Apply in App Settings tab.
Feedback
Was this page helpful?