Use Vault Secret Credential with Azure Key Vault

Describes using vault secret credentials, where the credential secret (password) is stored in Azure Key Vault.

You can use vault secret credentials to access cloud resources, to access other databases with database links, or use anywhere that username/password type credentials are required.

Prerequisites to Create Vault Secret Credential with Azure Key Vault

Describes the required prerequisites to use vault secret credentials with Azure Key Vault.

To create vault secret credentials where the secret is stored in Azure Key Vault, first perform the required prerequisites.

  1. Enable Azure service principal authentication to provide access to the key (password) in the Azure Key Vault.

    See Enable Azure Service Principal for more information.

  2. Create an Azure Key Vault and create a secret (password) in the vault.

    See About Azure Key Vault for more information.

  3. Set up and enable Azure Service Principal to provide access to the secret in the Azure Key Vault.

    In the Azure portal you must grant read access for a service principal to access the secret.

    1. In the Azure portal, navigate to the "Key Vault" resource that contains the secret you created.
    2. Select "Access policies", then select Create.
    3. Under Permissions, select the Get permission in the Secret permissions section.
    4. Under Principal, enter the name of the service principal in the search field and select the appropriate result.
    5. Click Next.
    6. Under Review + create, review the access policy changes and click Create to save the access policy.
    7. Back on the Access policies page, verify that your access policy is listed.

    See Assign a Key Vault access policy for more information.

Create Vault Secret Credential with Azure Key Vault

Describes the steps to use an Azure Key Vault with vault secret credentials.

This allows you to store a secret in Azure Key Vault and use the secret with the credentials you create to access cloud resources or to access other databases.

To create vault secret credentials where the secret is stored in Azure Key Vault:

  1. Create the Azure Key Vault, the secret, and the access policies to allow your Autonomous Database to access secrets in an Azure Key Vault.
  2. Use DBMS_CLOUD.CREATE_CREDENTIAL to create a vault secret credential.

    For example:

    BEGIN DBMS_CLOUD.CREATE_CREDENTIAL(
        credential_name  => 'AZURE_SECRET_CRED',
        params  => JSON_OBJECT( 
          'username'          value 'azure_user',
          'secret_id'         value 'sales-secret',
          'azure_vault_name'  value 'azure_keyvault_name' ));
    END;
    /

    Where:

    • username: is the username of the original credential. It can be the username of any type of username/password credential.

    • secret_id: is the secret name.

    • azure_vault_name: is the name of the vault where the secret is located.

    To create a vault secret credential you must have EXECUTE privilege on the DBMS_CLOUD package.

    See CREATE_CREDENTIAL Procedure for more information.

  3. Use the credential to access a cloud resource.

    For example:

    SELECT count(*) FROM DBMS_CLOUD.LIST_OBJECTS(
         'AZURE_SECRET_CRED', 
         'https://adb_user.blob.core.windows.net/adb/' );
Note

Every 12 hours the secret (password) is refreshed from the content in the Azure Key Vault. If you change the secret value in the Azure Key Vault, it can take up to 12 hours for the Autonomous Database instance to pick up the latest secret value.

Run DBMS_CLOUD.REFRESH_VAULT_CREDENTIAL to immediately refresh a vault secret credential. This procedure gets the latest version of the vault secret from Azure Key Vault. See REFRESH_VAULT_CREDENTIAL Procedure for more information.