In this session, we'll break down security for Azure Key Vault end-to-end in a variety of scenarios. Resources from this session are detailed below, along with the link to the video on YouTube.
- YouTube Video
- Related Installments
- Related Articles and Tutorials
- Azure Cloud Shell transcript (from live session)
SPONSOR: Need to stop and start your development VMs on a schedule? The Azure Resource Scheduler let's you schedule up to 10 Azure VMs for FREE! Learn more HERE
Watch the video on YouTube at https://youtu.be/QdPG-lCJKEc]
TO SUBSCRIBE: Click HERE to follow us on Youtube so you get a heads up on future videos!
A few areas we covered in this video include:
- Management plane security (RBAC)
- Data plane security (access policies)
- Deployment and management automation
- Azure Pipelines integration
- Certificate integration and lifecycle management
- Backing up and recovering AKV contents
You will find some of the code samples shown in this session in the articles below:
Day 90 - Restricting Network Access to Azure Key Vault
Day 70 - Managing Access to Linux VMs using Azure Key Vault - Part 3
Day 69 - Managing Access to Linux VMs using Azure Key Vault - Part 2
Day 68 - Managing Access to Linux VMs using Azure Key Vault - Part 1
Day 28 - Build Pipelines, Fine Tuning access to a Key Vault (Linux Edition)
Day 27 - Build Pipelines, Fine Tuning access to a Key Vault (Windows Edition)
Day 26 - Build Pipelines, Key Vault Integration (Windows Edition)
Day 25 - Build Pipelines, Key Vault Integration (Linux Edition)
Managed Identity in Azure DevOps Service Connections
https://stefanstranger.github.io/2019/03/02/ManageIdentityInServiceConnections/
Service connections (in Azure Pipelines)
Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal (Azure CLI)
https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-cli
Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal (PowerShell)
https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-powershell
Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template
https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-template?tabs=CLI
Use Key Vault from App Service with Managed Service Identity
The following are the highlights from the demos in Azure Cloud Shell
- Create Key Vault and Service Principal
- Create a Key Vault instance
- Create a Service Principal (SP)
- Grant Service Principal Access to Key Vault
- Grant the SP access to the Key Vault
- Grant the SP access to Key Vault secrets
- Grant a managed identity KV access
- Set and retrieve a secret:
- Set and retrieve from portal
- Set and retrieve a secret from Cloud Shell (Azure CLI)
On your Linux Host (with Azure CLI installed), open up a bash prompt and run the following command to create a new Resource Group.
az group create \
--name fine-tune-access-key-vault \
--location westeuropeYou should get back the following output.
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fine-tune-access-key-vault",
"location": "westeurope",
"managedBy": null,
"name": "fine-tune-access-key-vault",
"properties": {
"provisioningState": "Succeeded"
},
"tags": null,
"type": "Microsoft.Resources/resourceGroups"
}Next, run the following command randomly generate 4 alphanumeric characters.
RANDOM_ALPHA=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 4 | head -n 1)NOTE: We are appending this to the name of our Key Vault to ensure its name is unique.
Next, run the following command to create an Azure Key Vault in the new Resource Group.
az keyvault create \
--name "iacftvault${RANDOM_ALPHA}" \
--resource-group fine-tune-access-key-vault \
--location westeurope \
--output tableYou should get back the following output when the task is finished.
Location Name ResourceGroup
---------- -------------- ---------------------------------
westeurope iacftvault31mr fine-tune-access-key-vaultNext, add the following secret to the Key Vault.
az keyvault secret set --name iac-secret-demo \
--vault-name "iacftvault${RANDOM_ALPHA}" \
--value "100Days0fIaC1!" \
--output tableYou should get back the following response.
Value
--------------
100Days0fIaC1!Next retrieve your Azure Subscription ID and store it in a variable.
AZURE_SUB_ID=$(az account show --query id --output tsv)If the above command doesn't work, manually add your Azure Subscription ID to the variable.
AZURE_SUB_ID="00000000-0000-0000-0000-000000000000"Next, run the following command to create a new Service Principal called sp-restricted-keyvault-access with no scope assignment.
AZURE_SP=$(az ad sp create-for-rbac \
--name "sp-restricted-keyvault-access" \
--role "reader" \
--scope "/subscriptions/$AZURE_SUB_ID/resourceGroups/fine-tune-access-key-vault/providers/Microsoft.KeyVault/vaults/iacftvault${RANDOM_ALPHA}" \
--years 1)You should get back a result similar to what is shown below.
Changing "sp-restricted-keyvault-access" to a valid URI of "http://sp-restricted-keyvault-access", which is the required format used for service principal names
Creating a role assignment under the scope of "/subscriptions/00000000-0000-0000-0000-000000000000"
Retrying role assignment creation: 1/36
Retrying role assignment creation: 2/36Next, run the following command to retrieve the appId of the Azure Service Principal.
echo $AZURE_SP | jq .appId | tr -d '"'Make a note of the result as we will be using it again soon.
2c965760-bb46-4add-94d0-f8e6d2985805Next, run the following command to retrieve the password of the Azure Service Principal.
echo $AZURE_SP | jq .password | tr -d '"'Make a note of the result as we will be using it again soon.
1e46de92-4c9d-43be-af36-ff26b87e30a3Next, run the following command to grant the Service Principal sp-restricted-keyvault-access get access to Secrets in the Key Vault.
az keyvault set-policy \
--name "iacftvault${RANDOM_ALPHA}" \
--spn "http://sp-restricted-keyvault-access" \
--secret-permissions get \
--output tableYou should get back a similar response.
Location Name ResourceGroup
---------- -------------- --------------------------
westeurope iacftvault31mr fine-tune-access-key-vaultNow, we will add a password to our AKV, and then retrieve that secret.
Add a secret (like a password) to Key Vault
az keyvault secret set --vault-name "Contoso-Vault2" --name "ExamplePassword" --value "hVFkk965BuUv"To view the value contained in the secret as plain text:
az keyvault secret show --name "ExamplePassword" --vault-name "Contoso-Vault2"This has been a deep drive into Azure Key Vault. If you've never tried it, try the many code samples we have provided here to get some hands-on practice.