Synopsis: In this exercise, attendees will utilize the Microsoft.Compute deployment access that was given in the previous exercise to gain access to an Azure Key Vault secret and certificate without saving them in the template(s).
Task 1: Create new secrets
In this task, you will add two secrets to the key vault.
- In your Incognito browser window, login as the KeyVaultAdmin.
- Select Key vaults.
- Select your key vault.
- Select Secrets.
- Select +Generate/Import.
- On the Create a secret blade, enter the following:a. Upload options: Select Manual
b. Name: Enter VMUsername
- Select Create.
- Select +Generate/Import again.
- On the Create a secret blade, enter the following:d. Upload options: Select Manual
e. Name: Enter VMPassword
- Select Create.
- You should now see two secrets in your Azure Key Vault:
Task 2: Deploy an ARM template using Azure Key Vault resources
In this task, you will run another ARM template using PowerShell to create a SQL database which can use the key vault resources.
- Open a Windows PowerShell ISE window.
- Open the extracted \AzureTemplate\deploy-securingpaas.ps1.a. Review the file, note the following:
- Logs in the user
- Starts an Azure RM Resource Group Deployment
- Utilizes the azure-kv-sql-deploy.json and azure-kv-parameters.json files
b. Update the path to your extracted directory.
c. Update the resource group to your resource group.
d. Save the file.
- Open the extracted \AzureTemplate\azure-kv-sql-deploy.json file, review it.a. Notice that this file simply creates a virtual machine using the parameters passed in.
b. Update the SQL Server name parameter to something unique.
c. Save the file.
- Open the extracted \AzureTemplate\azure-kv-parameters.json file.a. Notice how it makes a reference to your Azure Key Vault and secret to populate the parameters.
b. Update the Azure Key Vault resource id.
- Execute the script in PowerShell by entering the following command: (NOTE: You need to be in the AzureTemplates directory)
.\deploy-securingpaas.ps1
- Login as your subscription/resource group admin when prompted.
- Switch to your Azure Portal, select SQL Servers. You should see a new SQL Server available that will be using the username and password values from your key vault: