How to create and use Azure KeyVault in Orchestrator
To create and use Azure KV as credential store for Robots in Orchestrator please follow these steps:
1) Enable the AKV plugin from the orchestrator dll.config as stated in here (for the PaaS version you can add the values in the Configuration page):
2) Create an app registration in Azure and define a secret for it:
3) Create a key vault and add an access policy for that application registration:
4) Define the credential store from the Orchestrator’s interface:
5) When you will define a user, you will choose the newly created AKV and its credentials are going to be automatically saved into it:
Why is this needed?
Azure Key Vault (AKV) was designed as a read-write store, password is provided when creating the robot and it’s stored securely and retrieved when needed from AKV. That means that when providing the password in there, Orchestrator will make an API call to such KV and will create a secret with such password. After that, go to Azure KV > Secret and check that has been created. A random value should appear for the “Secret”, like this:
Accessing such secret, in there the password for the user should be displayed.
This has been designed in this way because of the random string that Azure KV provides when creating a secret, and if is not being done in this way will be very hard to retrieve and maintain it.
Such password is not stored in Orchestrator, nor in the database, but rather just in the Azure KV, and needs to be filled only the first time specifically for when making the API call to create such Secret in KV with such value.