Using Azure Logic apps and key vault to encrypt data and push to dynamic endpoints.
In this little demo, we are going to use 1 azure logic app to encrypt some data using keys in our key vault and then push that encrypted data out to dynamic endpoints. These endpoints will be determined by the data in the body of the http API request which we will use to trigger the flow.
Below is a visual representation of what we will try to achieve.
My business use case was to push data out near real time to various endpoints. Creating separate static connections seemed like overkill and wasn’t a very flexible option. Logic apps is an easy-to-use azure service that can use configuration to do a wide variety of tasks.
The first step is to create the Logic app. You can follow the instructions in the link https://docs.microsoft.com/en-us/azure/logic-apps/quickstart-create-first-logic-app-workflow to create the service.
1. Sign in to the Azure portal with your Azure account credentials.
2. In the Azure portal search box, type in “
logic apps” and select Logic Apps.
3. On the Logic Apps page, select Create.
4. Select your subscription and resource group (or create a new one). I’ve named mine “testlogica”.
5. Enter a name for your logic app and select the region. I’ve selected “North Europe”.
6. Click on Review and Create and finally click on Create.
To give your logic apps access to the key vault, we will use managed identities which is a secure way to give access to our resources.
1) Click on “Identity” under “Settings”.
2) Switch the “Status” switch to ON to create a system assigned managed identity. Don’t forget to click save. You will get a pop up asking you to confirm so click “Yes”.
With the above steps, we have created a managed identity for our logic app which we can grant access to our key vault.
Now let’s create our Key vault to store the key that will be used to encrypt our data.
1) Go to the Azure portal and type in “Key vault” in the search box on the top. Click on “Key vaults”.
2) Click on Create.
3) Enter your subscription, resource group, a name and region. For our demo, we just need a standard pricing tier key vault. Leave all other options as default.
4) Click on Review + creates.
5) Click on Create.
Now let us give key vault encrypt access to our new managed identity.
1) Go to your key vault and click on “Access policies” under settings on the left pane.
2) Click on “+Add Access Policy”.
3) Use the “Key Management” template. Under key permissions, just select “Get”, “List” and “Encrypt”. We do not need any Secret or Certificate permissions for this demo.
4) Then click on the “None selected” next to “Select principal”. You should be able to type in the name of your logic app and select it. Click on Select.
5) Your screen should look like this. Click on Add.
6) DO NOT FORGET to click the SAVE BUTTON in the next screen.
The next step is to create a key with which you can encrypt your data.
1) Go to your key vault and click on “Keys” under settings on the left pane.
2) Click on “+ Generate/Import”.
3) Under options, select “Generate”(You can use import if you already have an encryption key). Give your key a name for reference. Leave all the other options as default though you can modify them as per your encryption requirements.
4) Click on Create.
So now, we have a logic app, a key vault with an encryption key and have given encrypt access to the logic app. The final step is to create the actual workflow for your logic app.
1) Go to your Logic app Click on Logic app Designer under “Development Tools”
2) For our purpose, we are going to trigger the logic app via an http request, so click on “When a http request is received” as the starting trigger.
3) Logic app needs to understand the format of the incoming message. You can either manually describe the JSON format or let Logic app do it for you using a sample JSON message. We will choose the latter. Click on “Use sample payload to generate schema”.
4) Enter your JSON sample body. I have put what I used below so you can follow along.
I have used data1, data2 and data3 but really the field names can be anything. You can even have nested JSON.
“data1”: “This will be the endpoint”,
“data2”: “Data to be encrypted”,
“data3”: “This is for endpoint1”
5) When you click on Done, Logic apps will generate the schema for you.
6) Now click on “+New step”. We will use this step to encrypt the data in “data2” field.
7) Search for “Key vault” and you will get a list of actions specific to Key vault. Select “Encrypt data with key”.
8) We will have a few options to sign into the Key vault but since we have already given access to the managed identity, we will choose that option.
9) Enter a connection name for reference. Enter the name of your key vault and click on Create.
10) If you have done everything correctly, you should be able to see your key in the drop down list. If not, you may not have setup the access policies correctly in the Key vault so you may want to recheck those steps.
11) When you click on “Raw data” you will get an option to select what data you want to encrypt. Click on “data2”.
12) Now click on “+Next step” to add one more step. We will push the encrypted data out to the endpoint which is determined by “data1” in the http trigger.
13) Select the “http action” to invoke a http api.
14) Select “POST” method. In the URI, a drop down will appear. Select “data1”. In the Body, a drop down will appear, select “encryptedData“ and “data3“. What we are essentially trying to do here is push the encrypted “data2” and “data3” to the endpoint determined by “data1”.
15) We can add authentication into the API push but we will not do that for this demo.
16) Click on Save and you are done.
17) Click the first step to open the step up. This will give you the Logic app end point to trigger the flow. Copy the url for later use. * note that this is a https endpoint.
We will now create our test setup. We will trigger our logic app using a postman API call.
We will use https://webhook.site/ to give us a test endpoint to which we can push the data to.
1) Create a new POST API call in Postman. Enter the Logic app url into the calling url. In the body enter the below data. The endpoint for “data1” will be unique for you and will be supplied when you go to https://webhook.site/. Keep this page open so you can see the results. You can put any data into “data2” and “data3”.
“data2”: “This is a some test data1”,
“data3”: “This is for endpoint1”
2) Click on “Send”.
3) If you are monitoring the https://webhook.site/. Page, you will see a txn pop. This is because our logic app has pushed data to this endpoint. Notice the encrypted data along with our”data3” circled in red in the snapshot.
4) If you look at the historical runs in logic apps, you can see the raw input and the encrypted output.
5) If you would like to hide the input and output from view in the logic app run history, you can secure the input and/or outputs by following the instructions in the link https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app?tabs=azure-portal.
So basically we managed to use just 1 logic app flow to push data to different endpoints.
If you are using this for real time triggers/events/transactions, a word of caution. Logic apps is great if the number of triggers is low. If your number triggers per day is going to millions, functions is probably a better option because it is cheap. The benefit of Logic apps over functions is that there is no coding required. It can be done entirely by configurations.
As an exercise you can try pushing the same encrypted data back to a different logic app and have logic app decrypt the data for you.
I hope this tutorial was help. Drop me a note/comment if you have any questions.
Until next time!