I've done everything from giving both vault and app god powers and what not, created a multitude of endpoints and VPN's, and god knows what. Still, when passing a keyvault reference to the Web App config, it is unable to resolve saying I have insignificant privalages. Basically, I'm trying to make it so I can retrieve secrets from my vault so I don't have to embed them in my code. I am using the free trial. I feel like I'm missing something obvious but at the same time, given the ungodly amount of power my Web App and Vault have now I'm not so sure.... :/ I am trying to do this without using the CLI, as it appears kaput (it doesn't recognize my UPN and when I use object ID I get that AK10032 warning).
I have found that the reason I cannot access the key vault using an endpoint is because using a vnet resource to access resources is for paid accounts. I have to set network to allow all connections for the Web App to be able to connect to a vault.
As for the latter part of my issue, I figured out that for some reason vs code was not processing the environment variable, so I had to implicitly pass the needed param, so problem solved there.
Related
I am working on an app developed using Xamarin Forms. The app connects to a container on Azure to read a couple of text files. The text files don't contain any confidential or secret information, just some publicly available information that the app uses.
I am able to connect to the storage container and read the blob without issue however I am readying the app for release to the App store and Google Play store so was following this guide around using Shared Access Keys to connect to Azure.
https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
To be honest, I am a bit confused as to which approach I should use. The app itself will be connecting to the container and reading the blob, so it won't be an actual "user" as such like joeB, or JaneB. That makes me think a user delegated SAS is not the way to go, although the documentation seems to suggest this is the most secure option.
I also noticed the user delegated sas token itself expires after a period of time and the app started crashing when trying to autheticate/connect. I am not sure if that is also the case with a service SAS and account SAS.
Basically, for my use case (an app reading a text file in a container in Azure), which is the best option for me to use based on those listed in the link above? Has anyone else done something similar? If so, how did you secure your connection string?
Thanks!
Maybe I'm going about this the wrong way, but I uploaded an SSH key to my Key Vault and am trying to pass this to an SFTP-SSH connection in my logic app.
However, when I try to put the secret value into the SSH private key field of the connection, it doesn't bring up the Dynamic variables form. I'm guessing this might be because the API Connection is a separate object outside the Logic App?
Is there a way for me to pass the ssh key from the key vault to the SFTP connection? Whether it's in the logic app or not. I want to be able to deploy this solution without re-entering the key manually into the API.
I actually found this video where the guy looked like he's going to do exactly this type of flow, but it looks like part 1 of the video and there's no part 2 where the actual execution of this happens:
https://www.youtube.com/watch?v=5W8g0KER8RM
You cannot do this from the portal.
The youtube video you refer to is to allow ease of deployment using arm templates. Sadly the 2nd part of the video is not available.
If you are using the portal, you need to setup the connection the first time. This is also secure as no one can see the credentials once the connection is made. But this is not ok when you have to redeploy the logic app to multiple environments in which case you need to manually setup the connection credentials each time. To make this task easy, you setup the SSH keys as shown in the video, and then configure an arm template to use the secrets from the key vault.
You can check the Microsoft forum answer to the same question HERE.
I am trying to build a machine learning model on Azure for my company. The IT team at the company I work at has given me maximum permissions for our Azure Machine Learning account since I am doing all the setup part (we started using it only last month). However, I checked the portal and realized that I am not authorized to access any of the modules within Azure ML, namely Experiment, Models, Endpoints, Datasets, etc. Is there something I am missing that is giving me this error? The error message has this link but I am not sure it serves the purpose.
Note: I am new to Azure so please forgive me if this is a very basic doubt.
any chance you could ask your IT team, exactly what permissions you have? can you also confirm that you have permissions on the all the resources (not just the workspace)? There are three associated resources you need access to besides the ML workspace: the storage account, the key vault, and the container registry.
try going to portal.azure.com to see if you can find those resources
I am using TypeScript for Azure Functions development. On production I use #Microsoft.KeyVault to read the secrets from a KeyVault. Is there a way I can make it work in local development as well?
I am thinking there might be a way to register the VS Code instance/certificate in Azure AD and KeyVault and somehow work it out.
This issue seems to have been discussed a long time ago. From various perspectives, the official seems not to provide a way to use key vault directly locally.
But you can still refer to some discussions on this issue:
I had a talk with a friend today about a project his startup is doing. It is a nodejs application with a mongodb backend hosted on Google Cloud App Engine. To my horror I saw that he has stored secrets such as API keys and database keys in his git repo.
I come from an Azure and .NET background so I am used to using Azure Key Vault, and don't know what is the preferred way of doing it in GAE. I have tried to read the docs but there are a lot of options and none seems to quite mirror what I am used to in Azure.
I would like to help my friend out.
So could anyone please point me towards what product I should read up on. Is it Hashicorp Vault, Google Cloud HMS or Berglas? My needs are that the vault needs to be able to store secrets encrypted and the nodejs app should not need to worry about authenticating with the vault. The vault should just allow the service account to read secrets.
If the vault can also fit into a Terraform setup where we can provision all resources and at provisioning also generate the secrets needed and then put them into the vault without any human ever laying eyes on that secret, then that would be really awesome! That way we could also create a setup where he would be able to provision a full disposable environment based on a feature branch. But that is just a nice to have.
Based on the fact that you want to use Terraform as well, I would suggest using HashiCorp. There is a blog post about the combination of those 2 from Google. In general, all those solutions that you mentioned in your question are viable and you can find more here.