Azure Logic Apps Secret Management

Logic Apps are powerful Azure workflow services that are used to facilitate the implementation of business process automation and application integration scenarios through a graphical designer, with little or no code.

While a Logic App solution could be built very quickly for a demo or a proof of concept, however, when it comes to real-world solutions, there are few important practices you need to take care of, one of these is how to handle secrets.

Logic Apps could hold sensitive data like connection strings, passwords, API Keys, authentication headers when integrating with other systems. Certainly, hard-coding these secrets in the Logic App workflow should be avoided, as it will be saved in clear text in the workflow definition file and it will be accessible to unauthorized developers and Azure portal operators; so much for keeping a secret!

Azure Key Vault provides a centralized, secure container for secret management. It manages, and protects secrets which can span across supported services.

Let’s go through the following steps to demonstrate how to use Key Vault to securely store and access Logic Apps secrets.

1. Assign the Logic App instance a Managed Service Identity (MSI)

First, you assign your Logic App instance an identity in Azure Active Directory (AAD). This is accomplished using the system assigned identity switch in the logic app identity blade, as shown below.

This is an application identity that is assigned to a logic app instance and is managed by AAD. Key Vault instance will use this application identity to apply access controls on its secrets.

2. Authorize the Logic App to access the Key Vault secrets

Now you need to configure the Azure Key Vault instance access policies to authorize the selected Logic App instance to access its secrets during the Logic App design-time and in run-time.

It is important to note that Key Vault Access policy is not applied on individual secrets, it is applied on the whole set of secrets in the Key Vault instance. I usually have one Key vault Instance for the set of services comprising a given solution or module, as long as it is acceptable to have shared access to these secrets among those services, otherwise I will have more than one Key Vault instance.

3. Access the Key Vault secret from the Logic App

Using the Logic Apps [Get Secret] Action in the native Key Vault connector, you should be able to list the Secrets in the web designer, and it will be able to securely retrieve the secret values in run-time without the need to save any kind of access keys in your application.

In the below example, I stored a backend API Key as a secret (Key-Value pair) in the Key Vault and used the retrieved value in the subsequent HTTP connector header.

4. Hide Secrets from Runs History

You should also obfuscate the secret values in the Logic App instance Runs History using [Secure Input/Secure Output] configuration which is available for many Logic Apps Actions and Triggers.

This way, your secret values in Logic Apps are still protected against unauthorized reads by Logic App developers and operators who may have access to the Logic App Runs History.

Using Key Vault, there is no need to store and manage an access key in your Logic App to retrieve the required secrets, in other words, you don’t need to save a one secret (access key) in your application to access another secret (target secret value). It all happens thanks to Azure AD Managed Identity along with Azure Key Vault access policies.