how to use Azure Key Vault for Kubernetes - azure

I have Azure Pipeline where we are connecting to downstream and one of our developer used password in configmap as a plan test.
Can some one please tell me how I can use the existing Key-Vault to stored that password and refer in my Pipeline?

You need to reference your KeyVault in your pipeline and provide access to it.
Here is a good article regarding your question - https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-key-vault?view=azure-devops

Related

GitOps & Infrastrucute as a Code - secrets storing

Just conceptual questions because I apparently doesn't feel the articles already available #google in this topic.
The story:
I have 2 git projects for IaC which create and configure network and create and configure projects. Both of those projects use different service accounts to perform operation on the cloud (different permissions are needed by them and I don't want to have one super account with all permissions). I would like to perform CICD pipeline which will allow to perform in general teraform apply.
The question:
I would like to not store keys for such accounts at GitLab (gitlab variables - I would like to store them in Hashicorp Vault - The goal is to make sure that it will only be avaliable for CICD. No human should be allowed to access those keys. How to make it work? To cloud access keys stored at vault I still need vault key to be stored on runner machine or in gitlab variables both not considered as safe for me, if anyone will get access to vault key it is really easy to access service account keys by Vault Rest API
One way we solve this is by leveraging Gitlab’s identities and Vault’s JWT authentication method.
You can read more about this here: https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/ for Gitlab and https://www.vaultproject.io/docs/auth/jwt for the Vault auth method.
Why would this solve the issue (if I understood your challenge correctly)?
Once you have this setup, you can
create an identity entity in Vault to represent your CI service account
create an alias to bind this identity entity to the identity Gitlab will provide in CI_JOB_JWT
create a policy to allow this identity entity (directly or via a group) to read the secrets)
Hence anyone running the pipeline from another identity won’t be able to read the secrets (because it would map to another identity entity in Vault, so they won’t get a token with that policy)

Access Azure Key Vault from Azure build/release pipelines

We have some unit tests/integration tests running on Azure build/release pipelines. There are few tests that retrieve secrets from key vault and these are failing because the code is written for fetching secrets from keyvault using MSI and Azure app authentication features. Since pipelines are not enabled for MSI, the keyvault calls are failing and hence the tests are also failing. What is the alternative that exists for this scenario where pipelines can access keyvault successfuly?
Note: I have already gone through articles suggesting to use variable groups and azure keyvault tasks but not helpful in my scenario .Looking for alternatives.
Note: I have already gone through articles suggesting to use variable
groups and azure keyvault tasks but not helpful in my scenario.Looking
for alternatives.
You can try two directions:
Configure a self-hosted agent to run your pipeline in local environment. Of course the agent should be configured with your managed identity.
According to step5 from this blog:
AzureServiceTokenProvider will use the developer's security context to get a token to authenticate to Key Vault. This removes the need to create a service principal, and share it with the development team. It also prevents credentials from being checked in to source code. AzureServiceTokenProvider will use Azure CLI or Active Directory Integrated Authentication to authenticate to Azure AD to get a token. That token will be used to fetch the secret from Azure Key Vault.
You can use Azure Cli task to run your tests in command-line. Check this similar issue.

Inject secret to Docker image via Azure pipeline

I have a pipeline in Azure Devops building and pushing some images to DockerHub. These images are pushed to a production and development environment, but are also available for pulling for local development. For secrets in production and development in Azure we just use keystore and variable groups. However, we haven't found a good solution for injecting secrets when working locally.
For instance, in appsettings.json we have a ClientSecret parameter that is used for authenticating against Azure AD. How can we insert this parameter into appsettings.json during the release pipeline and not have it be visible to someone else later?
Some suggestions include using file transform in the pipeline, but this is not optimal as we don't really want to change any files. Another suggestion is using --build-arg in the pipeline, but these arguments become visible with docker history.
So how can I inject a secret into appsettings.json in a Docker image, and this secret should preferably not be visible anywhere at all?
As you have mentioned, with using File transforms a=nd variable substitution is a less configuration and quick approach.
Besides, you could also choose to use Azure Key Vault.
Azure Key Vault helps teams to securely store and manage sensitive
information such as keys, password, certificates, etc. in a
centralized storage which are safeguarded by industry-standard
algorithms, key lengths, and even hardware security modules. This
prevents information exposure through source code, a common mistake
that many developers make. Many developers leave sensitive information
such as database connection strings, passwords, private keys, etc. in
their source code which when gained by malicious users can result in
undesired consequences.
Access to a key vault requires proper authentication and authorization
and with RBAC, teams can have even fine granular control who has what
permissions over the sensitive data.
As for how to use Azure Key Vault in Azure DevOps, you could kindly refer below blog:
How to inject Azure Key Vault secrets in the Azure DevOps CI/CD
pipelines
Using secrets from Azure Key Vault in a pipeline
How to use docker image secret with Azure Key Vault, you could take a look at this link: Publishing a Single Image Docker Container with Secrets from VS2017 and Running it on Azure
More ways for your reference: 7 Ways to Deal with Application Secrets in Azure

Azure key vault. How to set which web app uses what key vault?

I have several versions of the same web app running on the same subscription service.
I have 2 logical environments. Dev and UAT.
I have WebAppDev and WebAppUAT.
I have two key vaults KVDev and KVUAT.
How can I configure the correct web app to use the correct key vault?
What process assigns the web apps to key vaults?
Edit:
I had assumed that the key vault would act like the secrets do when developing.
This
Tutorial
seems to suggest that the key vault can be used as a configuration provider. However, the web app is not accessing the key vault values.
Get the Object ID from the identity blade of the web app.
Find your azure key vault and create a new access policy using the Object Id of web app.
Alternatively use the following in the powershell cli.
Set-AzKeyVaultAccessPolicy –VaultName -ObjectId "" -PermissionsToKeys backup,create,delete,get,import,list,restore -PermissionsToSecrets get,list,backup,restore,recover
Follow this tutorial and copy the context from the Program.cs in the sample code.
Tutorial
Taking a different angle, the current questions and comments tackle the authentication to KeyVault.
However, it sounds like a more fundamental problem and that you need to vary your configuration per environment.
i.e. WebAppDev needs to be configured to use a KVDev URL and WebAppUAT needs to use KVUAT URL.
Assuming you are using App Service Plans; this documentation provides a mechanism to store environment specific configuration along with guidance on how to use it for your programming language of choice, you will need to refer to the Application Specific configuration section.
https://learn.microsoft.com/en-us/azure/app-service/configure-common
Configuring in the portal will get you so far, but over time you will likely wish to contain the configuration in a release management pipeline so you don't need to configure things by hand. Azure DevOps Pipeline is one such tool for this:
https://learn.microsoft.com/en-us/azure/devops/pipelines/get-started/?toc=%2Fazure%2Fdevops%2Fpipelines%2Ftoc.json&bc=%2Fazure%2Fdevops%2Fboards%2Fpipelines%2Fbreadcrumb%2Ftoc.json&view=azure-devops
To get you started there is a specific deployment task which can aid in setting configuration for App Service Plans: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-rm-web-app-deployment?view=azure-devops
Over time I'd suggest rather than splitting configuration between a Release Pipeline and source control, instead having configuration which doesn't require deployment time modifications instead to stay source controlled in ARM templates, but that is an answer in it's own right so I won't confuse matters with too much detail.
If you want to access Azure key Vault by programming with SDK or REST API, then it would not be a problem. Because different key vaults have different DNS names. When you try to retrieve a secret or key in your code, you need to use its identify URL which contains its key vault DNS name. It will finally find the target key vault.
If you want to use key vault in web app with managed identity, you may refer to the tutorial: Use Azure Key Vault with an Azure web app in .NET
In that tutorial, you will enable the identity of a web app. And then you can assign access policy to that identity. In this way, the web app will be able to access the key vault with managed identity.

How can an ADF Custom Activity access the Azure Key Vault?

I have a custom activity that runs through and ADF pipeline, with an Azure Batch for the execution. The custom activity needs to access the Azure Key Vault, but I don't want to leave any secrets/keys coded in the custom activity.
How can I get the custom activity to use the service principal to access the Azure Key Vault? I have no problem coding access to the Azure Key Vault using the service principal credentials (appId and key), but I obviously don't want to leave a key in the code.
So the question is: How can an ADF Custom Activity, running in an Azure Batch, access the Azure Key Vault through a service principal?
Thanks!
This is similar to how to access Key Vault from a Azure Batch task. There are some ways to avoid hard-code the secrets in code. One is to use certificate which can be deployed to the Batch VM (https://samcogan.com/secure-credential-access-with-azure-batch-and-keyvault/), or you may use resource file (https://learn.microsoft.com/en-us/azure/batch/batch-dotnet-get-started#resourcefiles) to provide the secrets.

Resources