Receive credentials from keyvault within an IoT Hub edge module

Question

Receive credentials from keyvault within an IoT Hub edge module

Tobias Quadfasel 75

Hello!

I'm still new to azure and have the following problem:

I have an IoT hub with an edge device. On this device, several modules are deployed. Apart from the edgeHub and edgeAgent, there is some python code packaged in a docker container that runs there.

In this code, I need to access an azure key vault to get some credentials (connection strings, tokens etc.) to authenticate with other azure resources. I usually like to authenticate resources with managed identities, so I already put the system-assigned managed identity of the IoT hub in the access policy of my key vault with the necessary rights.

The problem is that the managed identity of the IoT hub is not available in the module and DefaultCredential throws an error. So how can I best access my secrets from within the module?

Manas Mohanty 13,340 Reputation points Moderator

2025-05-12T04:35:01.2933333+00:00

Hi Tobias Quadfasel

Hope the pointers from Suwarna S Kale and Sander van de Velde | MVP has been useful.

Please let us know if you have further queries on it.

Thank you.
Tobias Quadfasel 75 Reputation points

2025-05-12T07:39:01.1566667+00:00

Hi @Manas Mohanty The answers have been useful indeed. However, I had some follow-up questions which I just posted as comments to the respective answers.
Manas Mohanty 13,340 Reputation points Moderator

2025-05-15T10:50:57.3666667+00:00

Hi Tobias Quadfasel

We have not heard back from you. Hope the pointers shared from MVP and Community members helped address your query.

Please take a moment to accept any of the answer if you appreciated our inputs.

Thank you.
Tobias Quadfasel 75 Reputation points

2025-05-16T06:06:13.3066667+00:00

Hi Manas!
I still need approval by my superior to install the arc daemon on our on prem linux machine. Once I have that, I will test the approach with the managed identity of the device and if it works, accept the respective answer. I think it only makes sense to accept an answer once the suggested approach was also tested. This makes accepted answers also more reliable for other learners. I will ensure to do it ASAP once I have tested!

2 answers

Your answer

Manas Mohanty 13,340 Reputation points Moderator

2025-05-12T04:35:01.2933333+00:00

Hi Tobias Quadfasel

Hope the pointers from Suwarna S Kale and Sander van de Velde | MVP has been useful.

Please let us know if you have further queries on it.

Thank you.
Tobias Quadfasel 75 Reputation points

2025-05-12T07:39:01.1566667+00:00

Hi @Manas Mohanty The answers have been useful indeed. However, I had some follow-up questions which I just posted as comments to the respective answers.
Manas Mohanty 13,340 Reputation points Moderator

2025-05-15T10:50:57.3666667+00:00

Hi Tobias Quadfasel

We have not heard back from you. Hope the pointers shared from MVP and Community members helped address your query.

Please take a moment to accept any of the answer if you appreciated our inputs.

Thank you.
Tobias Quadfasel 75 Reputation points

2025-05-16T06:06:13.3066667+00:00

Hi Manas!
I still need approval by my superior to install the arc daemon on our on prem linux machine. Once I have that, I will test the approach with the managed identity of the device and if it works, accept the respective answer. I think it only makes sense to accept an answer once the suggested approach was also tested. This makes accepted answers also more reliable for other learners. I will ensure to do it ASAP once I have tested!

Answer 1

Suwarna S Kale 4,511

Hello Tobias Quadfasel,

Thank you for posting your question in the Microsoft Q&A forum.

To securely access Azure Key Vault from your IoT Edge module, you’ll need to implement one of the following approaches since the IoT Hub’s managed identity isn’t directly available to modules. The recommended method is to leverage the device’s own identity by enabling a managed identity for the IoT Edge device itself (if using Azure IoT Hub with Azure Arc-enabled devices) and granting it Key Vault Secret User access. Alternatively, you can use module-specific authentication by either:

Deploying a service principal (stored as an environment variable or in a secure module twin property) for Key Vault access.
Implementing certificate-based authentication (X.509) for the module, tied to Azure AD.
Using IoT Edge’s Key Store for secrets, synced from Key Vault via the IoT Edge runtime.

For minimal code changes, DefaultAzureCredential can still work if you configure environment variables (AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET) in the module deployment manifest. However, for production, prefer device-level managed identities or certificate-based auth to avoid hardcoded credentials.

If your IoT Edge device runs on an Azure VM, you could also attach the VM’s managed identity to the module. Always ensure Key Vault firewall rules allow access from the module’s IP or trusted services.

Reference

https://dori-uw-1.kuma-moon.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

https://dori-uw-1.kuma-moon.com/en-us/entra/identity/managed-identities-azure-resources/overview

https://github.com/Azure/iotedge/issues/1300

If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated.

Tobias Quadfasel 75 Reputation points

2025-05-12T07:27:00.0866667+00:00

Hey @Suwarna S Kale ! Thank you for your answer. If you don't mind, I have some follow up questions:

It seems the recommended method would be to connect my machine using azure arc and use its managed identity to authenticate against other azure services, such as azure key vault. My question would be if DefaultCredential (which on the machine should then select ManagedIdentityCredential for authentication) works on all modules of the device out-of-the-box, or do I have to take additional steps for a module to acquire the managed identity of the device it is running on? If so, what are these steps and would it be possible to point me to the respective documentation?

For your points regarding the implementation of module-specific authentication:

Do you know of any specific documentation for implementing certificate-based authentication on an IoT Edge Module, and also for the Key Store for secrets? Especially the latter sounds very interesting.

Thank you again for your advice!
Manas Mohanty 13,340 Reputation points Moderator

2025-05-13T08:45:31.6+00:00
Hi Tobias Quadfasel

If you go with Default Credentials, you have to enable system assigned identity and add the roles and permission manually again and again.

Managed identity acts as interface to quickly add available roles and assignments to resources through SDK.

You can leverage Manage Secrets Feature from IOT operation in below steps

Set Up Azure Key Vault:

Create an Azure Key Vault and add the necessary secrets.

Assign the required permissions to the managed identity of your IoT Edge container

Sync Secrets to the Edge:

Use the Azure Key Vault Secret Store extension for Kubernetes to sync the secrets from the cloud as Kubernetes secrets.

Ensure that the Azure IoT Operations instance is deployed with secure settings

Reference Secrets in the Container App:

Go to your container app in the Azure portal.

Under the Settings section, select Identity and enable the system-assigned managed identity.

Reference the Key Vault secrets in the container app's environment variables https://dori-uw-1.kuma-moon.com/en-us/azure/container-apps/manage-secrets?tabs=azure-portal

Below are relevant documents for X.509 authentication

https://dori-uw-1.kuma-moon.com/en-us/azure/iot-hub/authenticate-authorize-x509

Hope it addresses your query.

Thank you
Sander van de Velde | MVP 36,951 Reputation points MVP Volunteer Moderator

2025-05-19T20:52:14.71+00:00

The solution provided above works for Azure IoT Operations, not for Azure IoT Edge.

The question is about Azure IoT Edge.

Azure IoT Edge runs on Moby, thus the Docker container runtime, not on Kubernetes.
Manas Mohanty 13,340 Reputation points Moderator

2025-05-20T05:57:09.0633333+00:00

Ok. Sander.

Thank you for the clarification.

I guess saving it the key Vault secret as environment variable or module twin properties would be best for customer.

Thank you.
Tobias Quadfasel 75 Reputation points

2025-05-20T06:33:38.9033333+00:00

I will try to install the daemon on the machine today, in order to enable azure arc on the server, then go with its managed identity first. I hope it is easy for an IoT Edge Module to acquire this machine identity out-of-the box, since I have not heard back from @Suwarna S Kale regarding this question. If that does not work for some reason, I will go for the solution proposed by @Sander van de Velde | MVP using the module twin.

The issue mentioned by @Sander van de Velde | MVP is correct: I am using Azure IoT Edge, not IoT Operations.

Answer 2

Sander van de Velde | MVP 36,951 MVP Volunteer Moderator

Hello @Tobias Quadfasel ,

welcome to this moderated Azure community forum.

You want to distribute secrets to an Azure IoT Edge custom module.

These secrets are stored in an Azure keyvault.

The usual way to provide parameters to a module is making use of desired properties, part of the module twin.

The desired properties is a JSON structure and once updated in the cloud for a certain module in a certain device, it is picked up by the module (and a copy is stored in the EdgeHub for offline purposes) when a change is detected.

The device module can return a reported property in exchange to indicate the parameters is received.

Having these parameters distributed this way makes the data transmission lean and it supports offline scenarios. You also only need access to the IoT hub, other Azure resources (like a keyvault) do not need a public endpoint.

You want want to distribute secrets.

By default, the module twin is accessible by admins in the azure admin portal.

But you could also implement a custom flow and let the module ask for secrets by sending out a 'marked' message (eg having a specific application property (other than a system property)) so the IoT Hub routing could route the message to some logic (like an Azure Function).

Using the desired properties for distributing secrets with limited usages is a good idea because then offline support is still implemented.

I have used this to provide access to Azure Storage containers by creating a SAS token (which have a limited use in access and time). See this blog post with the example.

I'm not sure if Azure Keyvault supports SAS tokens (see this documentation) but a simular approach could work with any secret database...

If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.

Tobias Quadfasel 75 Reputation points

2025-05-12T07:35:44.3633333+00:00

Hey @Sander van de Velde | MVP Thank you for your answer! I have some follow-up questions for clarification if you don't mind.

So what I do not understand is why sharing secrets via module twin is considered secure. If I understand correctly, I would need to pass plain text secret information within a JSON-formatted string that is visible for all users with access to the IoT hub from the deployment. What would be the difference for example setting the secrets directly as environment variables in the module vs the module twin?

Thanks for mentioning the custom flow! I also read about "direct methods" which could pass information from the back end to the module. I was thinking about an azure function app which itself can have a managed identity to authenticate with the key vault and which sends the secrets to the module with direct method. I do not know if this seems like a viable authentication strategy? I should also mention that my device is constantly connected to the internet, so offline support is not needed in my specific use case.
Sander van de Velde | MVP 36,951 Reputation points MVP Volunteer Moderator

2025-05-12T21:20:46.2033333+00:00

Hello @Tobias Quadfasel ,

you are right, desired properties are not as secure as a keyvault.

Still, during transport, these properties are secure.

And you reuse the secure channel between edge and iot hub.

So, if you restrict access and make use of temporarily valuable tokens, the attack vector is minimal.

Actually, the same solution is used by the Azure Stream Analytics job, running on the Edge.

Environment variables? These are also seen on the edge, in docker. That is certainly insecure. Plus, when setting them, you need to restart the complete container.

Regarding the custom flow, direct methods only work when the device is online. plus, it provides no state. Every time the container starts, it must ask for the secrets to be send to the container when desired properties are stored in the EdgeHub.

Please design your edge solution to support offline scenarios. at some point in time, your device will start up without internet (power outages actually occur) and then it should start up using the correct settings.

With Azure Functions, you can build anything. But you have already a secure channel between edge and IoT Hub, why not using that for the two-way communication? An Azure Function is yet another attack vector...

Share via

Receive credentials from keyvault within an IoT Hub edge module

2 answers

Your answer