Azure Security

Securing PaaS – Azure deployments using Azure Key Vault

- by engsoon - Leave a Comment

Synopsis: In this exercise, attendees will utilize the Microsoft.Compute deployment access that was given in the previous exercise to gain access to an Azure Key Vault secret and certificate without saving them in the template(s).

Task 1: Create new secrets

In this task, you will add two secrets to the key vault.

  1. In your Incognito browser window, login as the KeyVaultAdmin.
  2. Select Key vaults.
  3. Select your key vault.
  4. Select Secrets.
  5. Select +Generate/Import.On the Key Vault blade, +Generate/Import is selected on the toolbar.
  6. On the Create a secret blade, enter the following:a. Upload options: Select Manual

    b. Name: Enter VMUsername

    c. Value: Enter AzureKVAdmin
    Fields in the Create a secret blade are set to the previously defined settings.

  7. Select Create.
  8. Select +Generate/Import again.
  9. On the Create a secret blade, enter the following:d. Upload options: Select Manual

    e. Name: Enter VMPassword

    f. Value: Enter DevsC@ntSeeTh
    Fields in the Create a secret blade are set to the previously defined settings.

  10. Select Create.
  11. You should now see two secrets in your Azure Key Vault:
    In the Azure Key vault, the two secrets, VMPassword and VMUsername are displayed.

Task 2: Deploy an ARM template using Azure Key Vault resources

In this task, you will run another ARM template using PowerShell to create a SQL database which can use the key vault resources.

  1. Open a Windows PowerShell ISE window.
  2. Open the extracted \AzureTemplate\deploy-securingpaas.ps1.a. Review the file, note the following:
    • Logs in the user
    • Starts an Azure RM Resource Group Deployment
    • Utilizes the azure-kv-sql-deploy.json and azure-kv-parameters.json files

    b. Update the path to your extracted directory.

    c. Update the resource group to your resource group.

    d. Save the file.

  3. Open the extracted \AzureTemplate\azure-kv-sql-deploy.json file, review it.a. Notice that this file simply creates a virtual machine using the parameters passed in.

    b. Update the SQL Server name parameter to something unique.

    c. Save the file.

  4. Open the extracted \AzureTemplate\azure-kv-parameters.json file.a. Notice how it makes a reference to your Azure Key Vault and secret to populate the parameters.

    b. Update the Azure Key Vault resource id.

    • In the Azure portal, select Key Vaults.
    • Select your key vault.
    • Select Properties.
    • Copy the RESOURCE ID.The Azure Key Vault Resource ID field and the DNS Name field display.
    • Paste the RESOURCE ID in the parameters sections.A JSON File displays with the resource ID line called out.
    • Save the file.
  5. Execute the script in PowerShell by entering the following command: (NOTE: You need to be in the AzureTemplates directory) 
    .\deploy-securingpaas.ps1
  6. Login as your subscription/resource group admin when prompted.
  7. Switch to your Azure Portal, select SQL Servers. You should see a new SQL Server available that will be using the username and password values from your key vault:In the Azure Portal search results, the passsecurity-abc123 SQL server is selected.

Related Posts

Security baseline on Azure #2

Security baseline on Azure #1

Security baseline on Azure – Solution architecture

About engsoon

Eng Soon is a 4-time Microsoft MVP and has nearly 5 years of experience building enterprise system in the cloud.He is also a Certified Microsoft Azure.Eng Soon also have strong technical skills and analytic skill. As a developer, Besides the development task, he also involved in Project Management, Consulting, and Marketing. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive. He also took part as speaker in many nationwide technical events, such as Conference, Meetup and Workshop. Currently, looking for opportunity in Cyber Security which include Cloud Security and Application Security.

View all posts by engsoon →

Leave a Reply

Your email address will not be published. Required fields are marked *