An Azure virtual machine scale set needs to use secrets from a pre-existing Azure key vault.
Terraform is the tool being used to create the Azure virtual machine scale set.
What specific terraform code must be used in order to configure the virtual machines in the virtual machine scale set to be able to automatically retrieve secrets from a named key vault which exists before the virtual machine scale set is created?
The terraform azurerm_linux_virtual_machine_scale_set resource has a secrets block option that can receive a key_vault_id, but we have not been able to find examples.
What we need is for bash scripts running within the virtual machine scale set to be able to retrieve secrets from the pre-existing key vault. Specifically the cloud-init startup script.
So far, we have been using the CLI to make requests to the key vault in the cloud-init script, but we are getting access denied errors.
The answer to this question should include 1. terraform code for creating the virtual machine scale set, and 2. simple code to retrieve a secret from that key vault that can be added to a bash script running in the virtual machine scale set, such as the cloud-init script.
Does the VMSS need to run as some sort of identity to make this happen?
Related
I have been working with Azure Policy -> Policy definition for some time.
I use the Get-AzPolicyDefinition power shell command for that reason.
Recently I started working with Initiative which is nice, so I have created a custom Initiative definition. Now I wanted to set initiative for Management Groups in either Powershell or az cli. When I use Get-AzPolicyDefinition, it does not show the Initiative definition.
Is there a command that I am not aware of to archive this?
Note: my goal is to set my custom initiative definition to Management
Group via the command line.
as you can see DefaultPolices that I have created and all default Initiative are not shown in the list when I run this command:
Get-AzPolicyDefinition | ForEach-Object { $_.Properties.DisplayName }
Returns, this is the end of the list, which is the only definition type of policy as you can see in the image below until the red line:
...
...
Kubernetes cluster containers should run with a read only root file system
Kubernetes cluster pods and containers should only use allowed SELinux options
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits
[Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names
Secrets should not be active for longer than the specified number of days
Kubernetes cluster pods and containers should only run with approved user and group IDs
Kubernetes cluster pod FlexVolume volumes should only use allowed drivers
[Preview]: Certificates should not expire within the specified number of days
Kubernetes cluster containers should only use allowed ProcMountType
Kubernetes cluster containers should only use allowed images
Keys using elliptic curve cr
Azure Policy Initiatives are called "Policy Set Definitions" in the Az PowerShell cmdlets - these functions will let you interact with them:
Get-AzPolicySetDefinition
New-AzPolicySetDefinition
Remove-AzPolicySetDefinition
Set-AzPolicySetDefinition
See the Policy section of the Az PowerShell documentation for more details, or use Get-Help in a PowerShell console...
I'm trying to find a way to give an entire AKS cluster to Azure Key vault. I have temporarily got this working by following the below process:
Go to the VMSS of the cluster -> Identity -> Set System Assigned Status to 'On'
Add this Managed identity as an access policy to Key Vault.
This works, however whenever I stop and start the cluster, I have to re-create this managed identity and re-add it to Key Vault. I have tried using the User Assigned Identities for the vmss as well but that does not seem to work.
I also cannot use the azure pod identities/CSI features for other reasons so I'm just looking for a simple way to give my cluster permanent access to key Vault.
Thanks in advance
Pod is smallest unit in Kubernetes. Pod is a group of one or more containers that are deployed together on the same host (node).
Pod runs a node which is controlled by master.
Pod uses OS level virtualization which can consume resources of VMSS when it runs and based on requirement.
Stopping and restarting cluster/nodes pod will lose all the resources that leads to loss of pods. So, there will be no pod under VMSS until you restart. In case you restart your cluster/node, the new pod will be created with different name and with another IP address.
From this github discussion, I found that MIC (Managed Identity Cluster) removes the identity from the underlying VMSS when no pods are configured to use that identity. So, you have to recreate the Managed Identity for VMSS.
You can refer this link for better understanding how to access keyvault from Azure AKS.
I am trying to setup ASR replication (Azure to Azure) for ADE encrypted Azure VM (Windows Server 2019 Datacenter) referencing MS documentation: https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-how-to-enable-replication-ade-vms
As per the documentation we can customize "Target disk encryption key vault" but the existing key vault in the target resource group is not populating in the list to select. I have verified my access on the target keyvault as mentioned in the documentation.
customize target key vault
I am able to customize other targets like resource group, vnet, cache storage account availability set; issue seems with the key vault only.
review targets for replication
The target location is where your source virtual machine data will be
replicated. Site Recovery provides a list of suitable target regions
based on the selected machine's location. We recommend that you use
the same location as the Recovery Services vault's location
As suggested by #piotr.gradzinksi make sure to have Key Vault in the same region as your target.
Try to replicate a virtual machine that has key vault on a source region.
Ensure you have all the permissions on the source region key vault.
I’m getting the results by following the same document that you have mentioned.
This may be the issue with virtual machine which you are creating is in different resource group region compared to key vault. If still getting the same issue I would suggest you follow the same document to confirm which region your resource group is in.
How to check if a backup is enabled on an azure virtual machine using PowerShell or azure command
in my use case, I don't want to go with Get-AzureRmRecoveryServicesBackupContainer stuff, looking for any other option available on the virtual machine level for checking backup status of a VM.
Thanks
There is pretty much nothing on the az vm cli for what you are looking for.
To check directly on the vm level, you need https://learn.microsoft.com/en-us/powershell/module/az.recoveryservices/Get-AzRecoveryServicesBackupStatus?view=azps-3.0.0
Thus you will get the BackedUp property to check if your vm is being backed up.
In type parameter, you need to use AzureVM value. Name and resource group I need not explain.
I'm using Azure CLI for VM deployment. I've secret which is currently stored in Azure Key Vault which I wanted to store it in C drive of the windows VM. I'm not sure how to perform the same at the time of VM deployment
I've found couple of articles which inject password from key vault as VM password using JSON template but i cannot find any article which guides how to store secret from key vault inside the VM at the time of VM provisioning and using Azure CLI.
Note: It is not a certificate but a secret.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-keyvault-parameter#reference-secrets-with-static-id
in this case you can use customdata property of an Azure VM, for example with an ARM template. you'd need to base64 encode the kubeconfig file. it will be available on the vm under c:\something\customdata (I dont remember exactly at this time)