I am using TypeScript for Azure Functions development. On production I use #Microsoft.KeyVault to read the secrets from a KeyVault. Is there a way I can make it work in local development as well?
I am thinking there might be a way to register the VS Code instance/certificate in Azure AD and KeyVault and somehow work it out.
This issue seems to have been discussed a long time ago. From various perspectives, the official seems not to provide a way to use key vault directly locally.
But you can still refer to some discussions on this issue:
Related
I am a Solution Architect responsible for setting up a project's infrastructure on Azure. The project should be running in multiple environments (dev, staging, prod). As far as I learned the best practice regarding environment separation in Azure is to use Resource Groups. That's what I did.
However, this is where things start getting tricky. Our application will use Azure AD as OAuth Authorization Server. I want to have my AD isolated, like everything else in my infrastructure. I don't want to accidentally modify a production user from the dev environment and for the dev environment, I want to be able to create a ton of test users which I don't want to see in production. So, isolation.
The problem is I don't see any option on how to do this. My first instinct was to create multiple ADs. But when I do that, they actually need to create a completely new tenant for each of these environments. This seems really messy to me. Have to support as many (almost empty) tenants as I want to have environments.
Please, what is the right way how to do this?
Does Azure AD have some kind of support for isolation I require?
Am I missing something?
Note: this question was also asked in MS Q&A.
You're correct that a tenant is equivalent to a directory and a user is either in the directory or it's not. However, using RBAC, you can restrict the permissions on users so that they can't access particular services. It would be good if you separated permissions by subscription which is what a lot of major companies do and that's how they know which workload a subscription handles.
I've done everything from giving both vault and app god powers and what not, created a multitude of endpoints and VPN's, and god knows what. Still, when passing a keyvault reference to the Web App config, it is unable to resolve saying I have insignificant privalages. Basically, I'm trying to make it so I can retrieve secrets from my vault so I don't have to embed them in my code. I am using the free trial. I feel like I'm missing something obvious but at the same time, given the ungodly amount of power my Web App and Vault have now I'm not so sure.... :/ I am trying to do this without using the CLI, as it appears kaput (it doesn't recognize my UPN and when I use object ID I get that AK10032 warning).
I have found that the reason I cannot access the key vault using an endpoint is because using a vnet resource to access resources is for paid accounts. I have to set network to allow all connections for the Web App to be able to connect to a vault.
As for the latter part of my issue, I figured out that for some reason vs code was not processing the environment variable, so I had to implicitly pass the needed param, so problem solved there.
I had a talk with a friend today about a project his startup is doing. It is a nodejs application with a mongodb backend hosted on Google Cloud App Engine. To my horror I saw that he has stored secrets such as API keys and database keys in his git repo.
I come from an Azure and .NET background so I am used to using Azure Key Vault, and don't know what is the preferred way of doing it in GAE. I have tried to read the docs but there are a lot of options and none seems to quite mirror what I am used to in Azure.
I would like to help my friend out.
So could anyone please point me towards what product I should read up on. Is it Hashicorp Vault, Google Cloud HMS or Berglas? My needs are that the vault needs to be able to store secrets encrypted and the nodejs app should not need to worry about authenticating with the vault. The vault should just allow the service account to read secrets.
If the vault can also fit into a Terraform setup where we can provision all resources and at provisioning also generate the secrets needed and then put them into the vault without any human ever laying eyes on that secret, then that would be really awesome! That way we could also create a setup where he would be able to provision a full disposable environment based on a feature branch. But that is just a nice to have.
Based on the fact that you want to use Terraform as well, I would suggest using HashiCorp. There is a blog post about the combination of those 2 from Google. In general, all those solutions that you mentioned in your question are viable and you can find more here.
I am trying to encrypt the connection strings of the web app hosted in azure. I found that this can be done using the aspnet_regiis.exe tool. But, my question is we have the auto scale out enabled and it happens quite often. So, If I encrypt the connection strings using the tool mentioned above, will it work if the webapp is scaled out. Is there any other way to encrypt?
If you want to securely store your connection string you should use Azure Key Vault (as mentioned by Peter Bons).
To safely access the credentials you should consider using Managed Identities.
Here is the Managed Identities documentation for App Services
Runbooks can be used to stop/start classic and ARM Virtual Machines in Azure.
Is this also possible from an Azure Function?
Some good news to update this thread. You will be able to do that now in Azure Functions. The steps are documented here based on HTTP-triggered Functions.
Azure Function role like permissions to Stop Azure Virtual Machines
You may switch out the trigger type to fit your use-case.
See Ling's response above. We've addressed this now. :)
It's not currently possible to do this via the Azure PowerShell commandlets in Azure Functions. You can write against the Azure C# SDK or use the x-plat CLI (if you bring it yourself, as it isn't installed by default). You'll need to upload a cert or use a service account to perform those actions.
FYI - I'm on the Functions team and we're working on improving this story, in the near future. I'll update this answer once it's been made possible.
You can either use the Azure REST API from here -> Docs or make use of the SDK to do the operations.