I am working on an app developed using Xamarin Forms. The app connects to a container on Azure to read a couple of text files. The text files don't contain any confidential or secret information, just some publicly available information that the app uses.
I am able to connect to the storage container and read the blob without issue however I am readying the app for release to the App store and Google Play store so was following this guide around using Shared Access Keys to connect to Azure.
https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
To be honest, I am a bit confused as to which approach I should use. The app itself will be connecting to the container and reading the blob, so it won't be an actual "user" as such like joeB, or JaneB. That makes me think a user delegated SAS is not the way to go, although the documentation seems to suggest this is the most secure option.
I also noticed the user delegated sas token itself expires after a period of time and the app started crashing when trying to autheticate/connect. I am not sure if that is also the case with a service SAS and account SAS.
Basically, for my use case (an app reading a text file in a container in Azure), which is the best option for me to use based on those listed in the link above? Has anyone else done something similar? If so, how did you secure your connection string?
Thanks!
Related
Maybe I'm going about this the wrong way, but I uploaded an SSH key to my Key Vault and am trying to pass this to an SFTP-SSH connection in my logic app.
However, when I try to put the secret value into the SSH private key field of the connection, it doesn't bring up the Dynamic variables form. I'm guessing this might be because the API Connection is a separate object outside the Logic App?
Is there a way for me to pass the ssh key from the key vault to the SFTP connection? Whether it's in the logic app or not. I want to be able to deploy this solution without re-entering the key manually into the API.
I actually found this video where the guy looked like he's going to do exactly this type of flow, but it looks like part 1 of the video and there's no part 2 where the actual execution of this happens:
https://www.youtube.com/watch?v=5W8g0KER8RM
You cannot do this from the portal.
The youtube video you refer to is to allow ease of deployment using arm templates. Sadly the 2nd part of the video is not available.
If you are using the portal, you need to setup the connection the first time. This is also secure as no one can see the credentials once the connection is made. But this is not ok when you have to redeploy the logic app to multiple environments in which case you need to manually setup the connection credentials each time. To make this task easy, you setup the SSH keys as shown in the video, and then configure an arm template to use the secrets from the key vault.
You can check the Microsoft forum answer to the same question HERE.
I've done everything from giving both vault and app god powers and what not, created a multitude of endpoints and VPN's, and god knows what. Still, when passing a keyvault reference to the Web App config, it is unable to resolve saying I have insignificant privalages. Basically, I'm trying to make it so I can retrieve secrets from my vault so I don't have to embed them in my code. I am using the free trial. I feel like I'm missing something obvious but at the same time, given the ungodly amount of power my Web App and Vault have now I'm not so sure.... :/ I am trying to do this without using the CLI, as it appears kaput (it doesn't recognize my UPN and when I use object ID I get that AK10032 warning).
I have found that the reason I cannot access the key vault using an endpoint is because using a vnet resource to access resources is for paid accounts. I have to set network to allow all connections for the Web App to be able to connect to a vault.
As for the latter part of my issue, I figured out that for some reason vs code was not processing the environment variable, so I had to implicitly pass the needed param, so problem solved there.
I had a talk with a friend today about a project his startup is doing. It is a nodejs application with a mongodb backend hosted on Google Cloud App Engine. To my horror I saw that he has stored secrets such as API keys and database keys in his git repo.
I come from an Azure and .NET background so I am used to using Azure Key Vault, and don't know what is the preferred way of doing it in GAE. I have tried to read the docs but there are a lot of options and none seems to quite mirror what I am used to in Azure.
I would like to help my friend out.
So could anyone please point me towards what product I should read up on. Is it Hashicorp Vault, Google Cloud HMS or Berglas? My needs are that the vault needs to be able to store secrets encrypted and the nodejs app should not need to worry about authenticating with the vault. The vault should just allow the service account to read secrets.
If the vault can also fit into a Terraform setup where we can provision all resources and at provisioning also generate the secrets needed and then put them into the vault without any human ever laying eyes on that secret, then that would be really awesome! That way we could also create a setup where he would be able to provision a full disposable environment based on a feature branch. But that is just a nice to have.
Based on the fact that you want to use Terraform as well, I would suggest using HashiCorp. There is a blog post about the combination of those 2 from Google. In general, all those solutions that you mentioned in your question are viable and you can find more here.
I am working in an Azure Storage Static Website. This website is publicly available and is intended to perform operations against Azure Storage (manage multimedia - crud actions). I am afraid that since it is a client-side app, anybody can use the code to perform unintended operations against the storage account. Any thoughts how can i protect the app against this? Also i am looking for a solution to avoid hardcoded keys/SAS tokens to have permission for the operations against the storage account. I was thinking about using the managed service identity. Anyone had experience with it, since it is in preview mode?
You should definitely not put keys or SAS tokens client-side. As you say, anybody can obtain this and get access to the storage account. One solution is to use an HTTP-triggered serverless function to generate a SAS token as needed. Then you can issue a time-limited SAS to only the resources you want to be publicly accessible. The below tutorial shows how to do this.
https://learn.microsoft.com/en-us/azure/functions/tutorial-static-website-serverless-api-with-database
The static website endpoint is strictly read only. So the client will not be able to change the content of the website.
Currently static website is anonymous access. "add oauth" will be added soon. For read access, once the site is enabled, it'll be available to all public.
Currently we don't have oauth support. Anybody can read the content of the website as long as they have the uri
According to the releases a few day ago by Scottgu, its now possible to use the windows azure management api without client certificates.
Are there any examples of doing this?
I have a Azure Cloud Service Package that I would like to let people deploy from my website. Therefore I would like to, from javascript, to authenticate the user to their Azure subscription ( some oauth against the WAAD ) and then by rest api deploy my package for them.
I dont need a concrete examples, but just some pointers on how I could do this.
I dont want users to give me their passwords offcause, therefore i need some guidance on how I can do SSO of the user against WAAD/Windows Azure management api and from there use the access token to deploy the package.
As of today, the Service Management API documentation regarding this new authentication mechanism (http://msdn.microsoft.com/en-us/library/windowsazure/ee460782.aspx) is not updated. Since the new login mechanism is supported in PowerShell which is essentially a REST Wrapper over this API and is open source, one thing you could do is take a look at the source code of the Cmdlets on Github (https://github.com/WindowsAzure/azure-sdk-tools) to see how it is accomplished there and write something of your own (and share it here:)).