Skip to main content
Version: Next

Task 10: Key Vault

Runbook Azure

DOCUMENT CATEGORY: Runbook SCOPE: Key Vault deployment PURPOSE: Create centralized secret management for Azure Local infrastructure MASTER REFERENCE: Microsoft Learn - Key Vault

Status: Active

Overview

This task creates the management Key Vault used to store deployment secrets (VPN shared keys, domain admin passwords, service account credentials) and certificates. All scripts that reference keyvault:// URIs in variables.yml resolve secrets from this vault.

Task Classification

Execution Target: Azure-Only (control-plane API operation) Tab Profile: 3 tabs — Azure Portal · Azure CLI / PowerShell · Standalone Script

Terraform Reference

Module: azurelocal-toolkit File: key-vault.tf Mode: Management

Components Created

ResourceName PatternPurpose
Key Vaultkv-{customer}-platformManagement secrets store

Key Vault Configuration

SettingValueSource
NamePer configazure_infrastructure.key_vaults.management.name
SKUStandardDefault
Soft Delete7 days retentionSecurity best practice
Purge ProtectionEnabledProduction requirement
RBAC AuthorizationEnabledPreferred over access policies
Public AccessEnabledRequired for Azure Local today
Network ACLsBypass Azure ServicesAzureServices bypass

Secrets to Populate

Secret NamePurposeConfig Path
azlocal-admin-passwordAzure Local node adminazure_infrastructure.key_vaults.management.secrets.azlocal_admin_password
recovery-admin-passwordRecovery adminazure_infrastructure.key_vaults.management.secrets.recovery_admin_password
vpn-shared-keyS2S VPN PSKazure_infrastructure.key_vaults.management.secrets.vpn_shared_key

Prerequisites

  • Resource group exists
  • Key Vault Administrator or Contributor role
  • Secrets values prepared (do NOT store in YAML — use Key Vault only)

Variables from variables.yml

VariableConfig PathExample (IIC)
Subscription IDazure.subscriptions.<name>.id(per environment)
Resource Groupazure_infrastructure.key_vaults.management.resource_grouprg-azrlmgmt-azl-eus-01
Key Vault Nameazure_infrastructure.key_vaults.management.namekv-iic-platform
Admin Password Secretazure_infrastructure.key_vaults.management.secrets.azlocal_admin_passwordazlocal-admin-password
Recovery Password Secretazure_infrastructure.key_vaults.management.secrets.recovery_admin_passwordrecovery-admin-password
VPN Shared Key Secretazure_infrastructure.key_vaults.management.secrets.vpn_shared_keyvpn-shared-key

Single Subscription Model

Landing Zone Placement

FieldValueConfig Path
SubscriptionCustomer subscriptionazure.subscriptions.<name>.id
Resource Grouprg-azrlmgmt-{env}-{region}-01azure_infrastructure.key_vaults.management.resource_group
Key Vault NamePer configazure_infrastructure.key_vaults.management.name

Execution Options

Azure Portal

When to use: Learning Azure Local, single deployment, prefer visual interface

Procedure

  1. Create Key Vault:
  • Search for Key vaults+ Create | Field | Value | Source | |-------|-------|--------| | Name | Per config | azure_infrastructure.key_vaults.management.name | | Subscription | Target subscription | azure.subscriptions.<name>.id | | Resource Group | Management RG | azure_infrastructure.key_vaults.management.resource_group | | Region | Your region | azure.region | | Pricing tier | Standard | — |

  1. Access Configuration: | Field | Value | |-------|-------| | Permission model | Azure role-based access control (recommended) | | Resource access | Enable Azure Resource Manager for template deployment | | Resource access | Enable Azure Virtual Machines for deployment |

  2. Networking: | Field | Value | |-------|-------| | Public access | All networks (required for Azure Local today) | | Allow trusted Microsoft services | Yes |

  3. Review + create: Verify → Click Create

  4. Add Secrets: For each secret in the table above:

  • Key Vault → Secrets+ Generate/Import
  • Set Name and Value for each secret

Validation

  • Key Vault provisioning state: Succeeded
  • RBAC authorization enabled
  • All required secrets present
  • Soft delete enabled

Validation

  • Key Vault provisioned
  • RBAC authorization enabled
  • Soft delete and purge protection enabled
  • All required secrets populated

CAF/WAF Landing Zone Model

In the CAF/WAF model, the management Key Vault is deployed in the Management subscription.

Landing Zone Placement

FieldValueConfig Path
SubscriptionManagement subscriptionazure.subscriptions.management.id
Resource Grouprg-azrlmgmt-{env}-{region}-01azure_infrastructure.key_vaults.management.resource_group
Key Vault NamePer configazure_infrastructure.key_vaults.management.name
Cluster Key Vault

A separate cluster Key Vault exists in the Cluster resource group for cluster-specific secrets. That is part of Stage 14-15 (Cluster Deployment), not this task.

Execution Options

Azure Portal

Follow the same procedure as Single Subscription → Azure Portal, targeting the Management subscription.

Validation

  • Key Vault in Management subscription
  • Cross-subscription access works via RBAC

Validation

  • Key Vault in Management subscription
  • RBAC assignments for operators in other subscriptions

Troubleshooting

IssueRoot CauseRemediation
Name already takenKey Vault names globally uniqueChoose different name or recover soft-deleted vault
Soft-deleted vault blocks creationSame name in deleted statePurge: Remove-AzKeyVault -VaultName $name -InRemovedState -Location $location
Cannot access secretsMissing RBAC roleAssign Key Vault Secrets User or Key Vault Administrator
Network access deniedFirewall blockingAdd client IP to network ACLs or use Azure Services bypass
Purge protection cannot be disabledBy design — irreversiblePlan purge protection before creation
PreviousUpNext
Task 09: Log AnalyticsManual Deployment IndexTask 11: Deploy Management VMs

Version Control

  • Created: 2025-09-15 by Hybrid Cloud Solutions
  • Last Updated: 2026-03-03 by Hybrid Cloud Solutions
  • Version: 4.0.0
  • Tags: azure-local, key-vault, security, secrets
  • Keywords: Key Vault, secrets, certificates, credentials, RBAC, soft delete
  • Author: Hybrid Cloud Solutions