I'm using Azure CLI for VM deployment. I've secret which is currently stored in Azure Key Vault which I wanted to store it in C drive of the windows VM. I'm not sure how to perform the same at the time of VM deployment
I've found couple of articles which inject password from key vault as VM password using JSON template but i cannot find any article which guides how to store secret from key vault inside the VM at the time of VM provisioning and using Azure CLI.
Note: It is not a certificate but a secret.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-keyvault-parameter#reference-secrets-with-static-id
in this case you can use customdata property of an Azure VM, for example with an ARM template. you'd need to base64 encode the kubeconfig file. it will be available on the vm under c:\something\customdata (I dont remember exactly at this time)
Related
I have:
Azure App Service with a Docker container running in it. Inside the Docker container, there is a Python FastAPI Web App.
Azure Key Vault with some App specific secrets in it (e.g. Public API Client Secret for a side service to send requests to)
I'm trying to set secrets to the App.
There are several examples when an app directly reads the secrets from Key Vault (e.g. official MS documentation), but I believe the provisioning should not be the responsibility of the App.
Probably, secrets should be set as environment variables with the CD pipeline (correct me if it's a bad idea). Otherwise, the App knows details about the infrastructure where it's running, which, I guess, is not the best practice.
Is there a proper way to provision Key Vault secrets to the App environment?
I tried to reproduce the same issue in my environment and got the below results
I have created the app service
The azure key vaults supplies a way to store keys & secrets outside of an application, Using access polices we can allow the application to access the keys with in keyvault
To access the keyvault as a environment variables in the azure app service we have to setup the polices mentioned as below
In the app services => identity => click on status is ON
Go to the keyvault and the polices settings click on add polices
And the access polices page set any permissions for keys and secrets
In the select principal page search for the app service name and select then the app service can access as a environment variables
After that we have to add specific secrets in the app service and copy its in secret identifier as below format
#microsoft.keyvault(secretUri={secret url from the keyvault})
After adding the secret it will look like as below
By following the above steps we can access the secrets as a environment variables
An Azure virtual machine scale set needs to use secrets from a pre-existing Azure key vault.
Terraform is the tool being used to create the Azure virtual machine scale set.
What specific terraform code must be used in order to configure the virtual machines in the virtual machine scale set to be able to automatically retrieve secrets from a named key vault which exists before the virtual machine scale set is created?
The terraform azurerm_linux_virtual_machine_scale_set resource has a secrets block option that can receive a key_vault_id, but we have not been able to find examples.
What we need is for bash scripts running within the virtual machine scale set to be able to retrieve secrets from the pre-existing key vault. Specifically the cloud-init startup script.
So far, we have been using the CLI to make requests to the key vault in the cloud-init script, but we are getting access denied errors.
The answer to this question should include 1. terraform code for creating the virtual machine scale set, and 2. simple code to retrieve a secret from that key vault that can be added to a bash script running in the virtual machine scale set, such as the cloud-init script.
Does the VMSS need to run as some sort of identity to make this happen?
I have configured the Diagnostics Extension on my Azure cloud project so that I can collect the IIS logs and publish them to a storage account on azure.
However, I do not want to store the secret key of the storage account in the cscfg file, so I unchecked the "Don't remove storage key secret from project configuration (.cscfg) file". Please check the following.
I want to store the key of the storage account in the azure vault and I want Azure to pull the key from the azure vault while configuring the diagnostics extension during publishing of the code.
The code is published via Devops yaml pipeline.
Is there any way to instruct the Azure pipeline to read the storage account key from Azure vault and use it for configuring the diagnostics extension during publishing code?
You need to use "Variable groups" feature of Azure Devops to link secrets from key vault into your pipeline, and forward them to your task.
Add secret to key vault
Create service connection in AzureDevops with permissions to access key vault
Create variable group and link secrets from key vault
Link variable group created in previous step into your .yaml pipeline
Any secret from variable group is accessible from within the pipeline like $(VariableName).
More information here.
I have created a custom Linux app service container.
The docker image has azure CLI installed and port numbers 80, 2222 are opened.
I have created a system-assigned identity for the key vault.
I could see the env variables related to the key vault.
The system assigned identities have permissions to GET, LIST operations of key vault also added to the principal.
But when my app tries to fetch the keys from the key vault it's not working.
enter image description here
I don't think your are supposed to connect to AKV using the terminal inside a container, better to use one of the SDK's for your language to get the keys using the credentials that you pass to the container.
I am following directions here for learning the AzureKeyVault config settings
Key Vault Configuration Provider sample application (ASP.NET Core 2.x)
This sample illustrates the use of the Azure Key Vault Configuration
Provider for ASP.NET Core 2.x. For the ASP.NET Core 1.x sample, see
Key Vault Configuration Provider sample application (ASP.NET Core
1.x).
For more information on how the sample works, see the Azure Key Vault
configuration provider topic.
Using the sample
Create a key vault and set up Azure Active Directory (Azure AD) for the application following the guidance in Get started with Azure Key
Vault.
Add secrets to the key vault using the AzureRM Key Vault PowerShell Module available from the
PowerShell
Gallery,
the Azure Key Vault REST API, or the Azure
Portal. Secrets are created as either
Manual or Certificate secrets. Certificate secrets are certificates for use by apps and services but are not supported by the
configuration provider. You should use the Manual option to create
name-value pair secrets for use with the configuration provider.
Simple secrets are created as name-value pairs. Azure Key Vault secret names are limited to alphanumeric characters and dashes.
Hierarchical values (configuration sections) use -- (two dashes) as a separator in the sample. Colons, which are normally used
to delimit a section from a subkey in ASP.NET Core
configuration, aren't allowed
in secret names. Therefore, two dashes are used and swapped for a
colon when the secrets are loaded into the app's configuration.
Create two Manual secrets with the following name-value pairs. The first secret is a simple name and value, and the second
secret creates a secret value with a section and subkey in the secret
name:
SecretName: secret_value_1
Section--SecretName: secret_value_2
Register the sample app with Azure Active Directory.
Authorize the app to
access the key vault. When you use the
Set-AzureRmKeyVaultAccessPolicy PowerShell cmdlet to authorize the
app to access the key vault, provide List and Get access to
secrets with -PermissionsToSecrets list,get.
Update the app's appsettings.json file with the values of Vault, ClientId, and ClientSecret.
Run the sample app, which obtains its configuration values from IConfigurationRoot with the same name as the secret name. *
Non-hierarchical values: The value for SecretName is obtained with
config["SecretName"]. * Hierarchical values (sections): Use :
(colon) notation or the GetSection extension method. Use either of
these approaches to obtain the configuration value:
config["Section:SecretName"]
config.GetSection("Section")["SecretName"]
Okay so I have copied the name of my application into Azure Active Directory as an 'Enterprise Application'. And I have added 'Access policies' for 'get' and 'list' in Azure for my ADD object I just created. Yet I get this error in the program when attempting to start the application:
Exception: {"error":"unauthorized_client","error_description":"AADSTS70001:
Application with identifier '(guid)' was not found in the directory ...(continues)
Update 8-4-18
Okay I found out that Azure uses the 'ClientId' and 'ClientSecret' in the local appsettings.json to connect to what Azure registers in this tutorial: https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal#log-in-as-the-application
I get the clientId in appsettings.json from the applicationId on ADD I create with ADD>App Registrations>New
I click settings in ADD on the app I just created and create a key with an expiration to store as ClientSecret in appsettings.json.
I change my 'Vault' in appsettings to my named vault.
I run the powershell above to give access or else do it in ADD.
So now I am getting a simpler error:
'Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: 'Access denied''
I have tried running as Administrator in Visual Studio. I went under Subscriptions in Azure>Access Control>(IAM)>set my new apps to Reader.
So the reason your powershell is failing is because you are trying to assign a User Principal - a user - when actually you want a Service Principal.
I can’t see your C# to support more there than saying when you use the SDK to log in as the Service Principal you use the application id of the Application/Service Principal (its the same id).
The service principal acts like a user in the local directory but you log in as the application.
Edit:
I looked at the example you posted and ran it myself and had very similar problems. However I have got it working. Here's the steps:
Creating the Application
Create the Registered Application. I do this through the Azure Portal so
a Service Principal is created automatically. Make a note of the ApplicationId.
Generate a key credential on the created application and make a note of it.
In the Application click on the link to the Managed app in local directory. This is the Service Principal, make a note of the ObjectId
Creating the Key Vault
Create KeyVault - I used PowerShell to do this. New-AzureRmKeyVault
Apply the Service Principal to the Key Vault.
Set-AzureRmKeyVaultAccessPolicy -VaultName <vault> -ResourceGroupName <ResourceGroupName> -ObjectId <Object Id of the Created Service Principal> -PermissionsToSecrets Get,List
Running the Sample App
In your application settings follow this format:
{
"Vault": <the name of your vault>,
"ClientId": <ApplicationId of the Registered Application>,
"ClientSecret": <Credential generated from the Registered Application>
}
This worked for me and allowed me to run the sample and retrieve the secrets from the vault.
The ultimate problem for me became that running 'Set-AzureRmKeyVaultAccessPolicy' was not needed and for whatever reason it was easier to just ignore it and follow this subsection: https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize
I kept trying to set up Object Id and Keys and really I had just overlooked a section mentioning a 'ServerPrincipalName'
They set one commandlet for keys
Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToKeys decrypt,sign
They set one commandlet for secrets
Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToSecrets Get, List
But I decided to follow the immediate proceeding section on doing it all in the Portal. The key take away for me was that the instructions were not wrong. Just vague when it says: "Register a sample app" then "Authorize the App". Really they should be saying
Register a sample app (https://learn.microsoft.com/en-us/azure/key-vault/key-vault-get-started#register)
Authorize the app with Key Vault (https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize)
Ultimately all the information is there it was just confusing if you happen to already have a vault and an application and don't understand the prerequisite is that really you need to have a 1. A Vault, 2. An ADD Web Application, 3. Associate permissions for 2 in 1.