I have a Python script running on an Azure Virtual Machine which uploads a file into a file share in a storage account. The VM is given a user-assigned managed identity with the built-in 'Key Vault Secrets User' role.
I followed this tutorial to allow key vault to automatically manage the storage account access key as a secret. Therefore, it is a managed secret (not viewable through the portal but visible through the CLI). My Python app attempts to retrieve the access key from the vault and uses it to generate a SAS token with write permission to file shares. However, when I attempt to retrieve the secret from key vault, I get the following error:
azure.core.exceptions.HttpResponseError: (Forbidden) The user, group or application 'appid=xxx;iss=https://sts.windows.net/xxx/' does not have secrets get permission on key vault 'my-vault-name;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
I allowed access to the vault with the managed identity I created through the portal, and this was yesterday, so the change has definitely propagated okay. What is the issue with my process? Do I need to give the managed identity more permissions than just 'Key Vault Secrets User'?
Solved. I got confused and allowed access to the managed identity through IAM and not through the vault Access Policies.
Related
Access policy screenshot The user,group or application ;appid=a9bf70ea978d0;oid=a9cb326;iss=https://sts.windows.net/14-e16e****6cacee8; does not have secrets list permission on key vault #39;tds;location=centralindia;t permission on key vault?
I'm getting this error.I have created created access policy for list and get secrets from vault.
I have tested in my environment.
I logged into Azure CLI with my service principal which does not have access to key vault.
I tried to list the secrets in the key vault and got the same error as yours:
I logged out and again logged in with my account which has access to list the secrets in the key vault.
I am able to list the secrets successfully.
You can log in to Azure CLI with your account which has key vault secrets list permission and list the secrets.
You would be able to list the secrets successfully
I am working in a Terraform code. The requirements are:
Put TF state file onto Azure storage account. The access key to the
storage account must be secured.
My TF program authenticate using
Service Principal which client_id, client_secret, tenant_id should be
encrypted and put onto Azure storage account.
My idea is to use a single KeyVault which contains all above secured secrets. But how a terraform program could secure the access key, connection to access the KeyVault? This is about management plane.
According to: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
, this provides a way of coding authorization request that the application has already registered on Azure AD service previously.
How can I apply the similar idea with Terraform code? Or may you suggest any better way to realize the idea?
Thanks a lot.
You can use Azure DevOps pipeline and provide the service principal secrets as secure variable group (can be linked from the KV) or as a service connection.
Check:
https://blog.gft.com/pl/2020/03/04/secure-terraform-delivery-pipeline-best-practices-part-1-2/ (disclaimer: I am the author)
and
https://blog.gft.com/pl/2020/04/24/automating-infrastructure-deployment-on-azure-using-ci-cd-pipeline-and-terraform/
I don't think it's possible to encrypt both the storage access key and the secret of the service principal. For the backend state, you can use the service principal to authenticate so that you do not expose the storage access key. You just need to grant the right permission to the service principal. Take a look at this.
But for the service principal, if you stored things like client_id, client_secret, tenant_id in the storage account, you need to get them before execute the Terraform code. It also needs the storage access key or the service principal secret or SAS token.
So I think you can use the Azure CLI to authenticate: Log in with the service principal. Then you do not need to provide the azurerm with the secret. But actually, it's also not absolutely secure. You also can find the access token in the path ~/.azure/. For this, you can change the permission for this path. If you also think it's not secure, you can take a look at the Managed identity of the VM. But you need to have a VM before all the things.
I'm trying to set up my Azure CDN endpoint to use HTTPS for the custom domain I already set up.
When I tried to point at the SSL cert in my Azure KeyVault, I got an error stating that I need to grant Azure CDN access to KeyVault. Any idea how I can do this -- hopefully through the Portal and NOT Powershell, though I have a feeling it'll end up requiring Powershell commands.
Basically, I'm trying to get my Azure CDN endpoint to use the SSL cert in my Azure KeyVault.
Anyway, I'd appreciate someone pointing to me an article or a set of instructions please. Thanks!
Instructions for enabling SSL with your own certificate stored in Azure KeyVault are described here:
https://learn.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-2-enable-https-with-your-own-certificate#ssl-certificates.
There's something broken with this lately.
Azure tells you to do the thing that doesn't work:
New-AzADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8" -Role Contributor
If you're curious as to what it actually does, it just gives the hidden Microsoft.AzureFrontDoor-Cdn the role Contributor in your subscription's IAM. You can view it in the portal:
It seems that the "Contributor" role no longer contains the necessary permissions to read keyvaults - namely the Microsoft.KeyVault/vaults/secrets/readMetadata/action permission.
I've noticed that:
this permission is given to the built in Key Vault Secrets User role
all the roles that seem "superior" to the secrets user like Key Vault Administrator don't work, it HAS to be Key Vault Secrets User
So what fixed it for me is going into my keyvault and giving MYSELF (not azure cdn) the permission to read and list secrets. Seems that even as owner and god-emperor of your azure instance you can't access secrets by default ("AT" is me in the screenshot):
I am trying to fetch secret values from azure key vault in Azure App Service.
My App Service has a managed identity
In the Azure Key vault, this managed identity is added under 'Role assignments' as 'Key vault contributor'
Also access policies has been added in azure key vault to give 'Get' permission to the AppServices's managed identity
Now in my c# code, I am trying to get the value of the AppSetting element using the code
ConfigurationManager.AppSettings['something'];
In my azure app service, under app settings, I have added the a key with name 'something' and it has the value pointing to the reference of the Key Vault as below:
#Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)
Now I am able to retrieve the value from the appsettings, but instead of the actual value, it is pulling the output as #Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/c96f02080254f109c51a1f1cdb1931)
I am expecting the output to be value that I have set, not the keyvault reference string itself.
I am using .Net MVC 4.7 web app
As junnas said, you just add webapp's MSI in key vault Access policy.
1.Turn on webapp System-assign managed identity.
2.Add the identity into keyvault Access policy with secret Get permission.
3.Add the reference of the Key Vault into webapp Application settings.
4.Use Environment.GetEnvironmentVariable("AppsettingName"); to get the secret vaule.
Here is the output:
Actually i figured out that even using ConfiguraionManager.AppSettings["keyname"] also works fine. In my case, i had done everything as listed above , but had enabled "Slot Deployment" option in Connection string configuration in App Service. Once i enabled, now i am able to access my key vault secrets.
I'm looking for a code sample which demonstrates how to connect to an azure key vault and grab a secret from the vault without having to store creds in plain text but instead using certificates and an SPN for authentication to the vault. Has anyone done anything like this before who is willing to shed some light on this?
I'm trying to securely retrieve credentials from azure without ever having to save creds locally, and this has proven to be harder than I originally thought.
yes you can use certificate based authentication while accessing Azure key vault.
Here is a very good article on the same using dot net.
Certificate base authentication
Alternatively Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them. Managed Service Identity (MSI) makes solving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having any credentials in your code.
Run the assign-identity command to create the identity for this application:
az webapp identity assign --name <app_name> --resource-group "<YourResourceGroupName>"
This command is the equivalent of going to the portal and switching Managed service identity to On in the web application properties.
Assign permissions to your application to read secrets from Key Vault
{
"principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"type": "SystemAssigned"
}
Then, run this command using the name of your Key Vault and the value of PrincipalId copied from above:
az keyvault set-policy --name '<YourKeyVaultName>' --object-id <PrincipalId> --secret-permissions get
Deploy the Node App to Azure and retrieve the secret value
Deploy your node js app ,After this when you browse https://.azurewebsites.net you can see the secret value. Make sure that you replaced the name with your vault name