Azure Key Vault allows IT personnel to securely store and access items such as API keys, passwords, access keys to Azure storage accounts, certificates, and more. Application developers can also reference the Key Vault in their code to access these secrets, as opposed to hard-coding them into their applications. In this lab, we create an Azure Key Vault and review the different components of the vault via the Azure Portal. We also use the portal to store and retrieve a password. Finally, we use the vault to store a local password for a Windows virtual machine and deploy the virtual machine using an ARM template. Instead of supplying the password in plaintext, we have the template reference the secret in the Key Vault.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Configure Cloud Shell
Let’s set up Cloud Shell by clicking the Cloud Shell button in the top-right hand corner of the screen.
- Select Bash for out Cloud Shell.
- Select Show advanced settings.
- Use the lab provided Subscription.
- Set Cloud Shell region to the same as your lab provided resource group.
- For Storage account select Create new using a unique name.
- For the File share select Create new with a unique name.
- Select Attach storage.
- Create an Azure Key Vault
In the Azure Portal, click Resource Groups in the hub navigation menu. In the Resource Groups pane, click the resource group for the lab. In the lab resource group pane, click the blue + Add icon at the top of the screen. Search for and click on Key Vault. Create the Key Vault with the following settings:
- Name: Choose a unique name for the Key Vault. Using something like kv-XXXXX is recommended, where XXXXX represents the five-character suffix of the lab resources. (See the storage account name for an example.)
- Subscription: Leave as-is.
- Resource Group: Use the existing lab resource group.
- Location: Same as your lab provided Resource Group
- Pricing Tier: Standard
- Access Policies: Default
- Virtual Network Access: Default
Click Create to create the Key Vault.
- Create a Secret in the Key Vault For the VM Password
Now that we have a Key Vault, let’s create a secret. A secret is a simple key-value pair that can represent a password, access key, or any other value we want to be secured.
In the Portal, click the All Resources icon in the hub menu. Then, in the All Resources blade, open the Key Vault. In the Key Vault blade, click Secrets, and then click Generate/Import in the Secrets blade.
Configure the secret with the following settings:
- Upload options: Manual
- Name: Something unique, but memorable, as we will reference this secret name later on in the lab.
- Value: Again, something unique. This will be used as the password to log on to our Linux VM later in the lab.
Leave all of the other settings alone and click Create.
- Configure the Key Vault ARM Templates Will Use and Note the Key Vault Resource ID
In the Key Vault blade, click Access policies. In the Access policies blade, click the Click to show advanced access policies link, then click the Enable access to Azure Resource Manager for template deployment. Click Save.
Now copy the resource ID of the Key Vault for use in our ARM template.
In the Key Vault blade, click Properties. Click the Copy icon next to the Key Vault resource ID to copy the value to the clipboard. Paste this value in a text file. We will use this value later in the lab.
- Create and Download a Virtual Machine ARM Template
In the Portal, click the Virtual machines icon in the hub menu, then click + Add. Complete the configuration of the virtual machine, but do not create the VM!
Settings for the VM:
Basics
- Project Details
- Subscription: Leave as-is.
- Resource Group: Leave as-is.
- Instance Details
- Virtual Machine name:
vm-XXXXX, where XXXXX represents the five-character suffix of the lab resources (see the storage account name for an example): - Region: Same as your lab provided Resource Group.
- Availability Options: No infrastructure redundancy required.
- Image: CentOS-based 7.7
- Size: Standard B1ms
- Virtual Machine name:
- Administrator Account:
- Authentication Type: Password
- Username:
azureuser - Password: Use a default password that is different than the one used as the Key Vault secret. The password must be at least 12 characters in length anc contain at lest three of the following:
- Uppercase letter
- Lowercase letter
- Numeral
- Special character
- Confirm password: Repeat the password.
- Inbound port rules: Leave as-is.
Disks
- Disk options:
- OS Disk Type: Standard HDD
- Leave everything else as-is.
Networking
- Configure Virtual Networks:
- Virtual Network:
vnet-XXXXX, where XXXXX represents the five-character suffix of the lab resources. This should be the default. - Subnet:
default (10.0.0.0/24) - Public IP:
pip-XXXXX, where XXXXX represents the five-character suffix of the lab resources. We will have to select this value: - NIC network security group: None
- Accelerated networking: Off
- Load Balancing: Leave all settings as-is.
- Virtual Network:
Management
- Monitoring:
- Boot Diagnostics: Off
- Leave all other settings as their defaults.
Click Review + create, then click Download a template for automation. Click Download to save the
.zipfile to your local machine.- Project Details
- Extract the Zip File and Modify the `parameters.json` File
We have to modify the
parameters.jsonfile to reference our Key Vault and secret.Extract the
.zipfile and open theparameters.jsonfile in a local text editor. At the bottom of the file, locate the following section:"adminPassword": { "value": null }Replace this with the following:
"adminPassword": { "reference": { "keyVault": { "id": "KeyVaultID" }, "secretName": "KeyVaultSecret" } }Substitute the Key Vault resource ID collected in Objective 4 for
KeyVaultIDand the VM Password secret created in Objective 3 forKeyVaultSecret. The final code should look like the following:
- Upload the `parameters.json` and `template.json` Files to the Azure Storage Account
In the Portal, click the Storage accounts icon in the hub menu. Open the storage account (named
saXXXXX) and in the saXXXXX blade, click Files.Click on the cloudshell share and then click Upload. Upload the
parameters.jsonandtemplate.jsonfiles to the share.- Create the Virtual Machine Using the ARM Templates
Open Cloud Shell. At the prompt, change to the
clouddrivedirectory, then run the following Azure CLI command.az deployment group create --resource-group "resource group" --template-file template.json --parameters parameters.jsonAfter the
–-resource-groupparameter name, press Tab twice to automatically complete the resource group name. Press Enter to execute the command. When the CLI output appears on the screen, check the Azure Portal to confirm the deployment of the VM.- Test Logging On to the VM with the Secret Password
To test our virtual machine, we will use the Linux Academy Instant Terminal. In the Azure Portal, click on Virtual Machines in the hub menu. Open the virtual machine created in the previous objective. In the Overview pane, click Connect. Copy the
sshstring below Log in using VM local account by clicking the copy icon.Next, open Instant Terminal in the Tools section of the lab site. It will open in a new browser tab. At the prompt, paste the clipboard value and press Enter. If prompted to continue connecting, press y.
At the password prompt, enter the value of the password secret created in Objective 3, not the password created when configuring the VM template. Press Enter.
