Using Azure Key Vault

1 hour
  • 5 Learning Objectives

About this Hands-on Lab

Azure Key Vault is a tool that allows IT personnel to securely store and access items such as API keys, passwords, access keys to Azure storage accounts, certificates, and more. Application developers can also reference the Key Vault in their code to access these secrets, as opposed to hard-coding them into their applications. In this lab, we create an Azure Key Vault and review the different components of the vault via the Azure portal. We also use the portal to store and retrieve a password. Finally, we use the vault to store a local password for a Windows virtual machine and deploy the virtual machine using an ARM template. Instead of supplying the password in plaintext, we have the template reference the secret in the Key Vault. Lessons learned throughout this lab include creating and configuring Azure Key Vault, interfacing with the Key Vault using the Azure portal, and using Azure Key Vault to pass a secure parameter value during deployment.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Set Up Azure Key Vault
  1. In the lab resource group pane, click + Add.
  2. Search for and click on Key Vault.
  3. Click Create.
  4. Set the following values:
    • Subscription: Leave as-is
    • Resource group: Leave as-is
    • Key vault name: kv-XXXXX, where XXXXX represents the five-character code you noted earlier
    • Region: Same as your lab-provided resources
    • Pricing tier: Standard
  5. Click Next: Access policy.
  6. Under Enable Access to, select Azure Resource Manager for template deployment.
  7. Click Next: Networking. Leave it as the default.
  8. Click Review + create.
  9. Click Create.
  10. Click Go to resource when it appears.
Create a Secret in the Key Vault for the VM Password
  1. Click Secrets in the left-hand menu.
  2. Click Generate/Import.
  3. Configure the secret with the following settings:
    • Upload options: Manual
    • Name: VMPass
    • Value: Something memorable and unique (e.g., P@ssw0rd!1234). Make sure you note this password, as we’ll use it later.
    • Content type: password
  4. Click Create.
  5. Click Properties in the left-hand menu.
  6. Click the copy icon next to the Resource ID.
  7. Paste this value in a text file, as we will use it in our ARM template.
Create and Download a Virtual Machine ARM Template

Note: DO NOT click to create the VM once you’ve configured all its settings. Instead, we will download a template for automation.

  1. Click Home at the top.
  2. Click Virtual machines.
  3. Click Add > Virtual machine.
  4. On the Basics page:
    • Subscription: Leave as-is
    • Resource group: Select the one in the dropdown
    • Virtual machine name: vm-XXXXX, where XXXXX represents the five-character code you noted earlier
    • Region: Same as your lab-provided resources
    • Availability options: No infrastructure redundancy required
    • Image: CentOS-based 8.2 (or the most recent version of it)
    • Size: Standard_B1s
    • Authentication type: Password
    • Username: azureuser
    • Password: Enter a unique password
    • Confirm password: Repeat the password
    • Inbound port rules: Leave as-is
  5. Click Next: Disks, and set the following values:
    • OS disk type: Standard HDD
    • Leave everything else as-is.
  6. Click Next: Networking, and set the following values:
    • Virtual network: Select the lab-provided VNet
    • Subnet: default (
    • Public IP: Select the lab-provisioned pip-XXXXX option in the dropdown
    • Leave all other settings as their defaults.
  7. Click Next: Management, and set the following values:
    • Boot diagnostics: Disable
    • Leave all other settings as their defaults.
  8. Click Review + create.
  9. DO NOT click to create the VM.
  10. Click the link to Download a template for automation.
Add the Secret Key to the VM ARM Template
  1. On the Template page, click Download to save the .zip file to your local machine.

    1. Extract the .zip file.
    2. Open the template folder.
    3. Open the parameters.json file in a local text editor.
    4. At the bottom of the file, locate the following section:
    "adminPassword": {
        "value": null
    1. Edit it to match the following, replacing KeyVaultID with the resource ID we copied earlier and KeyVaultSecret with the Key Vault secret name we created earlier (VMPass):
    "adminPassword": {
        "reference": {
            "keyVault": {
                "id": "KeyVaultID"
            "secretName": "KeyVaultSecret"

    Note: When it’s done, there should be four } brackets at the end of the file.

    1. Save the file.
    2. In the Azure portal, click Home.
    3. Click the lab-provided resource group.
    4. Click the lab-provided storage account.
    5. Click File shares.
    6. Click on cloudshell.
    7. Click Upload.
    8. Upload the parameters.json and template.json files.
Create the Virtual Machine Using the ARM Template
  1. Click the Cloud Shell icon (>_) in the menu bar at the top of the screen.

  2. Select Bash.

  3. Click Show advanced settings.

  4. Set the following values:

    • Subscription: Select the lab-provided subscription
    • Cloud Shell region: Select the region your resources are located in
    • Resource group: Select the lab-provided resource group
    • Storage account: Use existing
    • File share: Use existing, and enter the name cloudshell
  5. Click Attach storage.

  6. Change to the clouddrive directory:

    cd clouddrive
  7. Paste in the following Azure CLI command, but do not run it:

    az deployment group create --resource-group "<RESOURCE_GROUP>" --template-file template.json --parameters parameters.json
  8. With the code pasted, delete the "<RESOURCE_GROUP>" and leave the cursor just behind –-resource-group.

  9. Press Tab twice to complete the resource group name automatically.

  10. Press Enter to execute the command.

  11. When the CLI output appears on the screen, check the Azure portal to confirm the deployment of the VM by going to Home > Virtual machines to ensure the virtual machine exists.

  1. Click the virtual machine we just created.

    1. Click Connect > SSH.
    2. Under Run the example command below to connect to your VM, copy the azureuser email address in the command (it will be similar to
    3. In Cloud Shell, log in to the VM via SSH (replacing <AZUREUSER_EMAIL> with the email address you just copied):
    1. At the prompt asking if you want to continue connecting, enter y.
    2. At the password prompt, enter the value of the password secret you created earlier (not the password created when configuring the VM template).
      • If the prompt becomes azureuser@<VM_NAME>, it means we’ve set up the secret correctly.

Additional Resources

Log in to the Azure Portal using the credentials provided on the lab instructions page.

Important: Once you're logged in to the Azure portal, select the lab-provisioned resource group and note the the region for the storage account. This value will be used for all objectives in the lab.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?