The following github deployment allows me to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore the password is never put in plain text in the template parameter file.
Can someone explain what is meant with the statement:
'the password is never put in plain text in the template parameter
file?'
If you don't use Key Vault, even adminPassword type is securestring, When you enter the adminPassword during deployment, it is showing as plaintext, not ******. It is not safe. But if you use Key Vault, the password stores in Key Vault and encrypted save, other could not see your password.
In template, you should configure your template using Key Vault like below:
"adminPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/XXXXXXX/resourceGroups/resourceGroupName/providers/Microsoft.KeyVault/vaults/vaultName"
},
"secretName": "secretName"
}
},
Please refer to the similar question:How to hide password in shell script duing ARM template deployment.
Related
Hope you are doing well.
Is there a command in the Spark Utilities to see all secrets in an Azure Key Vault run in an Azure Synapse Spark Notebook?
Page https://learn.microsoft.com/en-us/azure/synapse-analytics/spark/microsoft-spark-utilities?pivots=programming-language-python#credentials-utilities
I can reference a Secret Like so mssparkutils.credentials.getSecret('azure key vault name','secret name') but can I list all the secrets?
Thanks
Unfortunately, there is no command available to list all secrets in Key Vault.
You may checkout my answer on MS Q&A platform on how to use Access Secret from vault using Synapse pyspark notebook.
Appreciate if you could share the feedback on our Azure Synapse feedback channel. Which would be open for the user community to upvote & comment on. This allows our product teams to effectively prioritize your request against our existing feature backlog and gives insight into the potential impact of implementing the suggested feature.
You can call Azure Key Vault (AKV) via its REST API and the GetSecret methods, which returns a list of secrets in their full URL form. You could use a Web activity in Synapse pipelines to call this. Example settings:
Setting
Value
Notes
URL
{vaultBaseUrl}/secrets?api-version=7.2
See below for sample URL
Method
GET
Authentication
Managed Identity
Resource
https://vault.azure.net
Sample Key Vault URL
https://yourKeyVault-akv.vault.azure.net/secrets?api-version=7.2
Sample results:
{
"value": [
{
"id": " https://yourKeyVault-akv.vault.azure.net/secrets/somepassword ",
"attributes": {
"enabled": true,
"created": 1635948403,
"updated": 1635948403,
"recoveryLevel": "Recoverable+Purgeable",
"recoverableDays": 90
},
"tags": {}
},
{
"id": " https://yourKeyVault-akv.vault.azure.net/secrets/someusername ",
"attributes": {
"enabled": true,
"created": 1635949171,
"updated": 1635949171,
"recoveryLevel": "Recoverable+Purgeable",
"recoverableDays": 90
},
"tags": {}
}
],
You are able to loop through the values with a For Each activity, eg the Items value would be:
#activity('Web Get AKV Secrets').output.value
Refer to the individual secret inside the For Each activity like this:
#item.id
Get the actual secret name by using split and last functions, eg
#last(split(item().id, '/'))
You could then pass the individual secret name or the collection into a Synapse notebook as a parameter.
I'm trying to ingest a ssh public for a Linux vm via arm template. The public key lives as a secrete on the keyvault.
Has anyone encountered an issue like this below? If so what was the fix? I've tried multiple keys that I have generated with ssh-keygen -t rsa -b 2048. If I copy the key string directly into the keydata property as a string it works.
I've copied the following code from Microsoft docs assuming I could use for ssh key instead of adminpassword
"ssh": {
"publicKeys": [
{
"path": "/home/bluecat/.ssh/authorized_keys",
"keyData": {
"reference": {
"keyVault": {
"id": "[resourceId(subscription().subscriptionId,resourceGroup().name,'Microsoft.KeyVault/vaults','kvbluecat')]"
},
"secretName":"bluecatpub"
}
}
}
]
After parsing a value an unexpected character was encountered: :. Path
'properties.osProfile.linuxConfiguration.ssh.publicKeys[0].keyData',
line 1, position 958.",
I solved my own issue. It turns out the reference attributes (reference {}) used in this way is only available in the parameters schema not in main deployment template schema that houses the template json.
After the reference attributes for key vault secret into the parameter json file the issue resolved.
In Azure Portal > Key vaults > Secrets, I have secrets with json values (I did not create it). Something like:
...
"SubscriptionId": "XXXXXXX",
"BaseAuthUri": "https://login.microsoftonline.com/XXXXX/oauth/authorize?client_id="&api-version=
...
I would like to add another url value to it. How can I edit the
secrets with Azure portal?
How the value of api-version set?
Thanks
You can only change secret attributes such as expiration date, activation date. You cannot change secret's value programatically or via Azure Portal. If you want to update your secret without creating a new vault (meaning the secret identifier still remains intact) you can create a new version of the existing secret.
If the secret value contains the variables to get authorization code, you don't need api version because the URI you call is the authorization endpoint.
I have uploaded the SSl certificate to keyvault. Now I wanted to upload this certificate to my Cloud service
With this API I am able to access the Cert from keyvault
GET https://{vaultBaseUrl}/secrets/{secret-name}/{secret-version}?api-version={api-version}
But to upload certifcate, I need the password too.
"path": "subscriptions/%sub_Id%/resourceGroups/%rg_Name%/providers/Microsoft.ClassicCompute/domainNames/%cloudService_Name%/servicecertificates/SHA1-%THUMBPRINT%",
"body": {
"thumbprintAlgorithm": "SHA1",
"thumbprint": "%THUMBPRINT%",
"data": "%base64encodedcert%",
"certificateFormat": "pfx",
"password": "password" << this is in plain text I believe
}
How to get the password from keyvault or upload service certificate without password or with secret URI ?
When you need to pass a secure value (like a password) as a parameter during deployment, you can retrieve the value from an Azure Key Vault. You retrieve the value by referencing the key vault and secret in your parameter file. The value is never exposed because you only reference its key vault ID. You do not need to manually enter the value for the secret each time you deploy the resources.
For more details, refer to this documentation. Use Key Vault to pass secure parameter.
Also, check the Azure Key Vault REST API reference for examples.
I basically want to create my HDI/Spark Cluster which accesses an Azure Data Lake Store by using ARM templates and also Azure Key Vault.
So far I created the cluster manually and stored the ARM template. Then I tried to populate the sensitive values from Azure Key Vault but I am struggeling how to pass in the "identityCertificate" correctly.
I also followed this steps to create the Certificate and everything: https://github.com/Azure/azure-quickstart-templates/tree/master/201-hdinsight-datalake-store-azure-storage
and then this steps to upload the certificate into the KeyVault: https://blogs.technet.microsoft.com/kv/2016/09/26/get-started-with-azure-key-vault-certificates/
However, referenceing the KeyVault secret in my ARM template always ends up in this error:
{ "status": "Failed", "error": { "code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.", "details": [ { "code": "InvalidDocumentErrorCode", "message": "DeploymentDocument 'AmbariConfiguration_1_7'
failed the validation. Error: 'Error while getting access to the datalake storage account gbhdi: The specified network password is not correct.\r\n.'" } ] } }
doing everything manually in the Azure Portal using same certificate etc. works just fine
I also tried to set the "identityCertificate" parameter manually by using the Base64 encoded value of my certificate but this did not work either
Which value would I need to pass to my parameter if I hard-code it?
seems like I found the issue and it is actually related to the previously failed ARM deployments which leave some fragments of the HDI cluster and new deployments do not overwrite these fragments but use the old settings
after deleting the cluster (which was not working anyway) I could deploy it as expected.
However, it is worth mentioning that the certificate has to be stored in KeyVault as Secret and not as Key and that it has to be base64 encoded!
here is the PowerShell script that I used:
#Add Certificate to KeyVault
$base64Cert = [System.Convert]::ToBase64String((Get-Content $certFilePath -Encoding Byte))
$base64Cert | Out-File $certFilePath.Replace(".pfx", ".base64.txt")
$cer3 = Set-AzureKeyVaultSecret -VaultName $vaultName -Name $certName -
SecretValue (ConvertTo-SecureString –String $base64Cert –AsPlainText –Force)
hope that helps other people facing the same issue!
-gerhard
Thanks Gerhard, I think you saved me a couple of hours of investigation.
First I tried using plain text values. I changed the SecureString types to String in the template, and provided plain text passwords. For the identityCertificate parameter I added the Base64-encoded string of the certificate, and everything worked. If you wanted to hardcode it, that would be the way to do it. The failure in this could have been due to the previous failed attempts.
After that I tried to use the key vault. I added the password as a secret in the vault, and the certificate, well... as a certificate. Then it failed with the exact same error message you mentioned. So the solution was to add the Base64-encoded certificate as a secret too (through the UI).