Protect Script Secrets with Azure Key Vault

45 minutes
  • 3 Learning Objectives

About this Hands-on Lab

Azure includes several services to help protect secret information for our applications and scripts. Within this hands-on lab, we’ll be working with managed identities and key vault.

Managed identities help us to provide an Azure Active Directory (AD) identity for Azure resources we manage. We can then use this identity to securely access some Azure services, such as key vault.

After completing this lesson, you will become familiar with how we can securely store secret information within a key vault, and then access that information securely from an Azure virtual machine.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Configure a Managed Identity for VM1

Use the Azure Portal to perform the following tasks. Please log in with the credentials provided to you for this lab.

Configure a Managed Identity for VM1

  1. Navigate to the virtual machine, vm1, which has been created for you. You may search for vm1, access via all resources, or through the ‘Virtual Machines’ service page.

Please take note of the region in use for all of the resources that have been deployed, as we will need to use the same region in the following steps.

  1. Click on Identity in the Settings section of the resource menu on the left-hand side.
  2. Click System assigned within the working pane (middle of the screen) and change the Status to On.
  3. Click Save, then click Yes.
Configure a Key Vault

Create a Key Vault

  1. Click on the + Create a resource option.
  2. Search for key vault.
  3. Choose the key vault option, then click on Create.
  4. Create the key vault with the following settings:
    • Basics
      • Subscription: select the existing subscription
      • Resource group: select the existing resource group
      • Name: labkeyvault + 4 unique characters (e.g. labkeyvaultxx11)
      • Region: Select the region in use for your existing resources
      • Pricing tier: Standard
      • Click Next
    • Access policy
      • Click Add Access Policy
      • Template: Key, Secret, & Certificate Management
      • Select principal: vm1
      • Click Add
        1. Click on Review + create >> Create
Verify Secure Key Vault Access from VM1

Use the Azure Portal to gather the necessary information. Please be aware you will need an RDP client to connect to the Windows server.

To connect to vm1, use the credentials provided on the lab page.

Connect to VM1 using RDP

  1. Navigate to the Virtual Machines services page.
  2. Open the existing VM called vm1.
  3. Click on the Connect option in the command bar, and select RDP.
  4. Use the RDP file with your preferred RDP client.

Note: you may choose to copy the public IP address and connect via RDP manually with your RDP client, instead of using the RDP file.

Copy the Key Vault Details

  1. Navigate to the Key Vaults section in the Azure Portal.
  2. Open the Key Vault you just created.
  3. Copy the DNS Name from the working pane (middle of the screen).

Install Azure CLI

  1. Right-click on the Start Menu then choose Run.
  2. Type powershell and press enter.
  3. Run the following command: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
  4. Run the following command: Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile $homeDesktopAzureCLI.msi.
  5. Run the following command: Start-Process msiexec.exe -Wait -ArgumentList "/I $homeDesktopAzureCLI.msi /quiet".
  6. Type exit and press Enter.

Test Key Vault using Azure CLI

  1. Right-click on the Start Menu then choose Run.
  2. Type cmd and press Enter.
  3. Login using the managed identity: az login --identity --allow-no-subscriptions
  4. Type az keyvault secret set --name mySecret --value secret123 --vault-name labkeyvaultxx11 (use the name of the Key Vault you created earlier)
  5. Type az keyvault secret show --name mySecret --vault-name labkeyvaultxx11

Additional Resources

You've recently been hired as a security engineer and tasked with improving the security of some DevOps tasks that are performed at your company.

Your manager has asked you to improve the security of an important DevOps server, which is responsible for running several scripts.

It has been found that some Azure CLI scripts are currently being run from the DevOps server, are using secret information, which is hard-coded into the scripts in plain-text.

You must provide a proof-of-concept to demonstrate how the Azure key vault service can be used together with managed identities, to improve the security in this scenario.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?