You can integrate Twistlock with Azure Key Vault. First configure Twistlock to access your Key Vault, then create rules to inject the relevant secrets into their associated containers.

Prerequisites

Procedure

  1. Create an Azure servicePrincipal in your Azure AD Tenant

    1. Use AZ CLI to create a servicePrincipal and obtain the json credential file.

    2. Authenticate to your Azure tenant.

      $ az login
    3. Create a servicePrincipal

      $ az ad sp create-for-rbac
    4. Save the resulting json output.+

      {
        "appId": "xxxxxxxx-xxxxx-xxxx-xxxxxxxx",
        "displayName": "azure-cli-2018-11-01-xx-xx-xx",
        "name": "http://azure-cli-2018-11-01-xx-xx-xx",
        "password": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "tenant": "xxxxxxxxxxxxxxxxxxxxxxxxxxx"
      }
    5. In the Azure Key Vault, add the servicePrincipal to the Access Policies with the following permissions:

      secrets/get permission
      secrets/list permission
  2. In the Twistlock Console, go to Manage > Authentication > Secrets.

  3. Click Add store.

    1. Enter a name for the vault. This name is used when you create rules to inject secrets into specific containers.

    2. For Type, select Azure Key Vault.

    3. For Address, enter https://<vault-name>.vault.azure.net This address can be found in the Azure Key Vault’s properties in the DNS Name element.

    4. In Credential, click Add new.

    5. Enter a name for the credentials.

    6. In Type, select Azure.

    7. In Service Key, enter the JSON credentials returned from the az ad sp create-for-rbac command.

    8. Click Save.

    9. Click Add.

Results

After adding the new store, Twistlock tries conecting to your vault. If it is successful, the dialog closes, and an entry is added to the table. Otherwise, any connection errors are displayed directly in the configuration dialog.