Search code examples
razureazure-active-directoryazure-keyvaultazure-batch

How to securely provide secrets to azure batch service running R scripts

I'm trying to find a way to provide sensitive data to my batch service job. The data is the sql connection credentials that is being used in the R scripts to connect to the SQL and fetch the tables. So the code looks like this if we have a config file in the batch working directory.

    dbConfig <- config::get(file = "config.yml")

    db_connect <- function(database_config_name){
      dbConfig <- config::get(database_config_name)
      connection <- DBI::dbConnect(odbc::odbc(),
                                   Driver = dbConfig$driver,
                                   Server = dbConfig$server,
                                   UID    = dbConfig$uid,
                                   PWD    = dbConfig$pwd,
                                   Database = dbConfig$database,
                                   encoding = "UTF-8"
      )

To create this config file I found AzureKeyVault package to authenticate to my secrets in the Azure Key vault and write the file to azure batch environment. So the code can look like:

devtools::install_github("Azure/AzureKeyVault")

vault <- AzureKeyVault::key_vault("https://mykeyvault.vault.azure.net")
secret <- vault$secrets$get("secretname")


yaml::write_yaml(secret$value,"config.yml")

dbConfig <- config::get(file = "config.yml")

Then the operation that I suppose to do with secrets and delete it in the end:

unlink("config.yml", recursive = FALSE, force = TRUE)

The problem with this operation is that, it's not automatic authentication, the following command is printed on the console:

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and 

enter the code xxxxxxxx to authenticate. 
Waiting for device code in browser...

This is not what I want. I want Azure batch authenticate automatically and get the secret. Or if there is any other secure way of providing the secrets to the azure batch.

Solution

  • You need to initialize your vault with application authentication:

    cert  <- PKI.load.cert(file=system.file("certs", "app_cert.pfx", package="PKI"))
token <- AzureAuth::get_azure_token("https://vault.azure.net", "myaadtenant",
                                     app="app_id", certificate=cert)
vault <- AzureKeyVault::key_vault("mykeyvault", token=token)

    Or (recommended), using Managed Identity:

    vault <- AzureKeyVault::key_vault("mykeyvault", as_managed_identity=TRUE)