Tag Archives: Azure Resources

Step-by-Step Guide: Azure Key Vault

People use safes, security boxes to protect their valuable things. In digital world “Data” is the most valuable thing. Passwords, Connection Strings, Secrets, Data encryption/decryption keys protects access to different data sets. Whoever have access to those will also have access to data behind it (of cause they need to know how to use those 😊). So how we can protect those valuable info? People use different methods. Some use third party software installed on PC to do it. If its large environment some use web application so multiple people have access to it. different vendors use different methods to protect these types of valuable data. Microsoft Azure Key vault is a service which we can use to protect Passwords, Connection Strings, Secrets, Data encryption/decryption keys uses by cloud applications and services. Keys stored in vaults is protected by hardware security modules (HSMs). It is also possible to import or generate keys using HSMs. Any keys process that way will be done according to FIPS 140-2 Level 2 guidelines. You can find about FIPS 140-2 Level 2 using https://www.microsoft.com/en-us/trustcenter/Compliance/FIPS

Benefits of using Key Vault

Keys saved in vault will be served via URLs. Developers, engineers do not need worry about securing keys. Application or service do not see the keys as vault service process behalf of them.  

Customers do not have to disclosure their keys to vendors or service providers. They can manage their own keys and allow to access those keys via urls in vendor or service provider applications. Vendor or service providers will not see the keys. 

By design Microsoft can’t extract or see customer keys. So, its further protected in vendor level too. 

HSMs are FIPS 140-2 Level 2 validated. So, any industry required to comply with these standards are protected by default. 

Key usage details are logged. So, you know what’s happening with your keys.  

An Azure Administrator is allowed to do following using Azure Key Vault,

Create or import a key or secret

Revoke or delete a key or secret

Authorize users or applications to access the key vault, which allow them to manage or use its own keys and secrets

Configure key usage 

Record key usage

More info about Azure Key vault can find under https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview 

Let’s go ahead and see how we can setup and use Azure Key Vault service. 

Create Azure Key Vault Instance  
 
1) Log in to Azure Portal as global admin.
2) Click on Cloud Shell icon in top right-hand corner. (You also can setup this using portal, Azure CLI or locally installed Azure PowerShell. In this demo I am using Azure PowerShell directly from portal)  
 
kv1
 
3) Then select PowerShell for the command type. 
4) Then type Get-AzureRmResourceGroup to list down resource groups. So, we can select the resource group to associate the new key vault. 
 
kv2
 
5) If you wish to create key vault under new resource group, you can do it using 
 
New-AzureRmResourceGroup -Name RGName -Location WestUS
 
In above command RGName specify the resource group name and WestUS define the region. You can find the available locations using Get-AzureRmLocation
 
6) Now it’s time to create the vault. We can create it using, 
 
New-AzureRmKeyVault -VaultName 'Rebel-KVault1' -ResourceGroupName 'therebeladmin' -Location 'North Central US'
 
In above VaultName defines the Key Vault name. ResourceGroupName defines the resource group it is associated with. Location defines the location of resource. 
 
kv3
 
7) We can view properties of existing key vault using,
 
Get-AzureRmKeyVault "Rebel-KVault1"
 
In above Rebel-KVault1 is the key vault name. 
 
kv4
 
Vault URI shows the URL which can use to access the key vault by applications and services. 
 
8) Next step is to create Access Policy for the key vault. Using access policy we can define who have control over key vault, what they can do inside key vault and also what a application or service can do with it. 
 
Set-AzureRmKeyVaultAccessPolicy -VaultName 'Rebel-KVault1' -UserPrincipalName 'user1@rebeladmlive.onmicrosoft.com' -PermissionsToKeys create,delete,list -PermissionsToSecrets set,list,delete -PassThru
 
In above command, user1@rebeladmlive.onmicrosoft.com can create,delete,list keys in Rebel-KVault1. He also can set,list,delete secrets under same vault. 
 
kv5
 
We also can set permissions for application to retrieve secrets or keys. 
 
Set-AzureRmKeyVaultAccessPolicy -VaultName 'Rebel-KVault1' -ServicePrincipalName 'http://crm.rebeladmin.com' -PermissionsToSecrets Get
 
In above, service running on http://crm.rebeladmin.com will have permissions to retrieve secrets from the vault. 
 
Key Management
 
Now we have a vault up and running. Next step is to see how to manage valued data using it. In this demo I am going to do this using Azure Portal. Same tasks still can be done using Azure CLI or Azure PowerShell. 
 
1) To access Key vault feature in portal, go to Azure Portal > All Services > Key vaults
 
kv6
 
2) Then click on the relevant key vault from the list. In my demo it is Rebel-KVault1 which we create on previous section. 
 
kv7
 
3) Then it will load new window. Let’s go ahead and add a secret. To do that click on the Secrets option. 
 
kv8
 
4) Then click on Generate/Import
 
kv9
 
5) Then in the form fill the relevant info. Value defines the secret. After put relevant info click on create
 
kv10
 
6) If you need to delete a secret, click on the relevant secret from the list.
 
kv11
 
7) Then click on Delete
 
kv12
 
8) We also can generate/import certificates for use. In order to do so click on Certificates from the list.
 
kv13
 
9) Then click on Generate/Import 
 
kv14
 
10) From the form, using Generate option we can create self-signed certificate. 
 
kv15
 
11) Using Import option, we can import certificates in .PFX format. In the form, Upload Certificate File is the path for the .PFX file. You can use browse option to define the path. We can provide the PFX password under Password field. Once form is done, click on Create
 
kv16
 
kv17
 
 
Hope now you have understanding about Azure key vault and how to use it. This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step Guide to Start with Azure CLI 2.0

There are many ways to create, manage, remove resources from Azure subscription. For the users who prefer GUI has Azure Classic portal and Azure Resource Manager. For PowerShell lovers Azure has Azure PowerShell module. Apart from that there are other methods such as terraform (I already wrote articles about it, if you want to know more about it, search for “terraform” in the blog) which simplifies Azure resource management. Azure CLI is also a command-line tool introduced by Microsoft which can use to manage azure resources. This is allowing to use from multiple platform such as Linux, Mac OS and Windows. This blog post is to explain how we can configure windows system to use Azure CLI. 

There are two ways which we can use to connect to Azure CLI. 

Using Azure Portal

Azure also allow to use web based version of Azure CLI with name of “Cloud Shell”. This is easily can open through the browser. In order to access it,

1) Log in to Azure Portal

2) Click on Cloud Shell icon on top right-hand side

cli1

3) When you do this for first time it will ask to create Azure file share. You can select relevant subscription and click on “Create Storage

cli2

4) Once it is created the storage, it will load up the shell access through the browser. 

cli3

Using Windows Computer

We also can use Azure CLI from the local computer. as I said this is not only supported to use with windows systems. it is supported to use with Linux and Mac OS. In this demo, I am going to demonstrate how to configure it with windows system. 

Azure CLI uses python so out configuration will be based on python installation. 

1) Log in to computer as an administrator

2) Go to https://www.python.org/downloads/ and download python

cli4

3) Once file is downloaded, run it as administrator to install. During the installation, make sure to select option “Add Python 3.6 to PATH” option. Then it will allow to use python commands without navigating to installation location. 

cli5

4) Once installation completed, open windows command-line and type python –version. this will confirm the python installation. (it is recommended to open command line as administrator, otherwise it will say PATH records are not added as we ran the installation as Administrator) 

cli6

5) Next step is to install Azure CLI libraries. In order to do that run pip install –user azure-cli

cli7

6) Once it is completed, move to C:\Users\[Admin User]\AppData\Roaming\Python\Python36\Scripts and run command az . This will verify the Azure CLI integration. If it needs to run from anywhere add it to the PATH. 

cli8

7) Now let’s try to log in to Azure using Azure CLI. In order to do that we can use az login -u azureusername -p password. the problem on this method is that password need to type in as clear text. Instead of that we can use browser based more secure login. To do that type az login in command-line. 

The it gives a link and code to use for authentication. 

cli9

8) Once it is open in browser it asks for the verification code. Once its enter click on Continue

cli10

In next page, it verifies the Azure login and then confirm the connection.

cli11

When we go back to Azure CLI, we can see its successfully logged in and showing the subscription data. 

cli12

This confirms the successful connection to Azure using Azure CLI. This is the end of this post and in next post let’s see how we can add, manage, remove azure resources via Azure CLI. Hoep this was helpful and if you have any questions feel free to contact me on rebeladm@live.com