Working with Azure Key Vault- Hands-On Labs

Azure Key Vault allows IT personnel to securely store and access items such as API keys, passwords, access keys to Azure storage accounts, certificates, and more. Application developers can also reference the Key Vault in their code to access these secrets, as opposed to hard-coding them into their applications. In this lab, we create an Azure Key Vault and review the different components of the vault via the Azure Portal. We also use the portal to store and retrieve a password. Finally, we use the vault to store a local password for a Windows virtual machine and deploy the virtual machine using an ARM template. Instead of supplying the password in plaintext, we have the template reference the secret in the Key Vault.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Configure Cloud Shell

Let’s set up Cloud Shell by clicking the Cloud Shell button in the top-right hand corner of the screen.

"Azure Cloud Shell"

Select Bash for out Cloud Shell.
Select Show advanced settings.
Use the lab provided Subscription.
Set Cloud Shell region to the same as your lab provided resource group.
For Storage account select Use existing.
For the File share select Use existing, and enter the name cloudshell.
Select Attach storage.

Create an Azure Key Vault

In the Azure Portal, click Resource Groups in the hub navigation menu. In the Resource Groups pane, click the resource group for the lab. In the lab resource group pane, click the blue + Add icon at the top of the screen. Search for and click on Key Vault. Create the Key Vault with the following settings:

Name: Choose a unique name for the Key Vault. Using something like kv-XXXXX is recommended, where XXXXX represents the five-character suffix of the lab resources. (See the storage account name for an example.)
Subscription: Leave as-is.
Resource Group: Use the existing lab resource group.
Location: Same as your lab provided Resource Group
Pricing Tier: Standard
Access Policies: Default
Virtual Network Access: Default

Click Create to create the Key Vault.

Create a Secret in the Key Vault For the VM Password

Now that we have a Key Vault, let’s create a secret. A secret is a simple key-value pair that can represent a password, access key, or any other value we want to be secured.

In the Portal, click the All Resources icon in the hub menu. Then, in the All Resources blade, open the Key Vault. In the Key Vault blade, click Secrets, and then click Generate/Import in the Secrets blade.

Configure the secret with the following settings:

Upload options: Manual
Name: Something unique, but memorable, as we will reference this secret name later on in the lab.
Value: Again, something unique. This will be used as the password to log on to our Linux VM later in the lab.

Leave all of the other settings alone and click Create.

Configure the Key Vault ARM Templates Will Use and Note the Key Vault Resource ID

In the Key Vault blade, click Access policies. In the Access policies blade, click the Click to show advanced access policies link, then click the Enable access to Azure Resource Manager for template deployment. Click Save.

Now copy the resource ID of the Key Vault for use in our ARM template.

In the Key Vault blade, click Properties. Click the Copy icon next to the Key Vault resource ID to copy the value to the clipboard. Paste this value in a text file. We will use this value later in the lab.

Create and Download a Virtual Machine ARM Template

In the Portal, click the Virtual machines icon in the hub menu, then click + Add. Complete the configuration of the virtual machine, but do not create the VM!

Settings for the VM:

Basics

Project Details
- Subscription: Leave as-is.
- Resource Group: Leave as-is.
Instance Details
- Virtual Machine name: vm-XXXXX, where XXXXX represents the five-character suffix of the lab resources (see the storage account name for an example):
- Region: Same as your lab provided Resource Group.
- Availability Options: No infrastructure redundancy required.
- Image: CentOS-based 7.9 – Gen2
- Size: Standard B1ms
Administrator Account:
- Authentication Type: Password
- Username: azureuser
- Password: Use a default password that is different than the one used as the Key Vault secret. The password must be at least 12 characters in length anc contain at lest three of the following:
  - Uppercase letter
  - Lowercase letter
  - Numeral
  - Special character
- Confirm password: Repeat the password.
- Inbound port rules: Leave as-is.

Disks

Disk options:
- OS Disk Type: Standard HDD
- Leave everything else as-is.

Networking

Configure Virtual Networks:
- Virtual Network: vnet-XXXXX, where XXXXX represents the five-character suffix of the lab resources. This should be the default.
- Subnet: default (10.0.0.0/24)
- Public IP: pip-XXXXX, where XXXXX represents the five-character suffix of the lab resources. We will have to select this value:
- NIC network security group: None
- Accelerated networking: Off
- Load Balancing: Leave all settings as-is.

Management

Monitoring:
- Boot Diagnostics: Off
- Leave all other settings as their defaults.

Click Review + create, then click Download a template for automation. Click Download to save the .zip file to your local machine.

Extract the Zip File and Modify the `parameters.json` File

We have to modify the parameters.json file to reference our Key Vault and secret.

Extract the .zip file and open the parameters.json file in a local text editor. At the bottom of the file, locate the following section:

"adminPassword": {
    "value": null
}

Replace this with the following:

"adminPassword": {
    "reference": {
        "keyVault": {
            "id": "KeyVaultID"
        },
        "secretName": "KeyVaultSecret"
    }
}

Substitute the Key Vault resource ID collected in Objective 4 for KeyVaultID and the VM Password secret created in Objective 3 for KeyVaultSecret. The final code should look like the following:

"KeyVault ARM"

Upload the `parameters.json` and `template.json` Files to the Azure Storage Account

In the Portal, click the Storage accounts icon in the hub menu. Open the storage account (named saXXXXX) and in the saXXXXX blade, click Files.

Click on the cloudshell share and then click Upload. Upload the parameters.json and template.json files to the share.

Create the Virtual Machine Using the ARM Templates

Open Cloud Shell. At the prompt, change to the clouddrive directory, then run the following Azure CLI command.

az deployment group create --resource-group  "resource group" --template-file template.json --parameters parameters.json

After the –-resource-group parameter name, press Tab twice to automatically complete the resource group name. Press Enter to execute the command. When the CLI output appears on the screen, check the Azure Portal to confirm the deployment of the VM.

Test Logging On to the VM with the Secret Password

To test our virtual machine, we will use the Linux Academy Instant Terminal. In the Azure Portal, click on Virtual Machines in the hub menu. Open the virtual machine created in the previous objective. In the Overview pane, click Connect. Copy the ssh string below Log in using VM local account by clicking the copy icon.

Next, open Instant Terminal in the Tools section of the lab site. It will open in a new browser tab. At the prompt, paste the clipboard value. Remove the -i <private key path> and press Enter. If prompted to continue connecting, press y.

At the password prompt, enter the value of the password secret created in Objective 3, not the password created when configuring the VM template. Press Enter.

Work with Azure Key Vault

About this Hands-on Lab

Learning Objectives

Basics

Disks

Networking

Management

Additional Resources

What are Hands-on Labs

Newsletter