Accessing Azure Key Vault Using Managed Identities

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello this is my video qualified azure solutions architect in today's video we're going to look at accessing azure keyword secrets using a system assigned managed identity through an azure function in the azure portal let's get into it let's go okay so the first thing you want to do is uh actually create a key vault so you just go to portal.azure.com go to the search area uh type keyword the fuzzy search will bring you this particular view okay so the next thing is just to click on the create key vault button in the portal should load up quite quickly and then we're just going to allocate a resource group in which to put the particular key vault i already have one in us east created and then you'll have to create a keyboard name which is unique across all of azure so yeah we're going to just create a key vault name it according to your organization's naming standards here i'm just going to use the normal this one has probably taken yes i think yep this is available i'm just going to um let it stay in the u.s east region for now uh you have two pricing tiers to put it in so we're just going to go with standard now because we don't need any extra functionality um okay so there are days to retain uh the particular vault after it's deleted it's going to go with a minimum of seven so it goes to a maximum of 90. um i don't need to worry about pitch protection for now okay now this is where it gets a bit more interesting so access policies are what we use to access our secrets our keys our certificates and these can be azure resources now what do i mean when i say this can be azure resources we mean that between resources there can be communication without the need for usernames and passwords without the need for that type of complexity so we can create a virtual machine and in that particular virtual machine we can access secrets keys and certificates without even um calling this particular key vault with usernames and passwords we do need private and public keys as well which is awesome this concept is called managed identities now how does it work the way it works is that there's a trust created between microsoft azure resources internally and that trust is kept internal and not exposed to the user so that's how it actually works it's a managed trust between resources that managed trust between resources that's what we call managed identities so we're not going to create an access policy now we'll come back to it later so we're just going to create our key vault so by default i'm the owner there i'm going to leave it as a public endpoint and i'm going to create it okay let's proceed so after the deployment has completed we're just going to click on the go to resource button it'll open up the overview page of our keyword now our keyword is ready to host some keys secrets and or certificates we're just going to create a secret so on the left hand pane you're just going to click on secrets you're going to click on generate or import and we're going to leave it as manual and we're going to name it our api key id number api key that's it and in api key so we're just going to input our api key here okay with the others we're just going to leave as defaults it's quite cool to mention though that you can set the expiration of a particular api key which is quite interesting um for example if you have a project running for two months or so you can just set the expiration date until then and you don't have to worry about going to the portal again to deactivate it wonderful so we have our api key in our microsoft azure key vault now the next step is to create an azure function that will be able to access this particular api key how do we do that let's find out in the search pane here just search for function app there we go you'll see it under services just selected we're just going to create a new one as always we have to assign it to a resource group i'm just going to use the same resource group that we use for key vault we're going to give it a name a unique name across all of azure we can name us east then let's see which name is available okay now three is available now we're going to use code to actually um configure this particular function app um our runtime style is going to be.net you can use java you can use powershell the support is actually quite robust here so i'm going to use the new.net version we're going to place it in us east okay let's proceed we're going to select a storage account this is mainly for function apps which actually store data we're just going to make our stateless so we won't use it the reason why we're selecting windows here instead of linux is because in microsoft azure currently you can only edit the code of function apps which are associated with the windows operating system perfect so the plan type we're just going to leave as consumption you do have the options to go functions premium or use an already existing app service plan which you can share with um some app services we're just going to leave it as consumption next tab we're not going to configure networking monitoring we're not going to use application insights for now for this particular video go to text review and create awesome the validation has passed we're going to create our function app one thing to remember though here when creating a function app it's not really a function app it's a function app group so we can have multiple functions in one function app now that our function app has completed deployment we're going to navigate to it okay here we go we have our function app which as i mentioned it's a function app plan as you may so on the left hand pane we're going to go to functions and we're going to create our very first function in this particular function f group okay we have an option to develop in portal which as i mentioned is only available for windows based uh function apps uh let's we're going to use an http trigger which allows us to actually call the function through an http url okay so after it's created uh we have a function here inside the function app we're going to go to code and test on the left hand pane now here's the sample code for function app so it's just a typical post box uh let's just test and run it just to make sure that the default is working uh azure cx we're going to run it it's connecting here on the left hand side in the middle here so we should see some results and there we go we get an http 200 back say hello azure cx this http uh triggered function executed successfully perfect so we know that it's set up correctly and we know that we can actually call it let's verify that you can call it through a publicly available uh url fully qualified domain name we're just going to copy the url there through that button open a new tab paste the url wow this is perfect so we just need to pass a name if we want it to be displayed that's wonderful so currently in azure the way we access key vault secrets is to use environmental variables so we have to create an azure function app environmental variable in order to access that particular secret we created so let's look at how we do that we're just going to go to the search bar uh we're going to go back to function app we're going to select our function app we're going to scroll down a bit under settings we have configuration so just click on the configuration link this is we're going to set our environmental variables so we have some predefined here we're just going to create our own there's a new application setting uh button just click on that so we're going to say id number valley data you can you can use any name here api key um let's put fn just to emphasize that it doesn't have to be the same name as our azure key vaults key name or secret name okay now the value this is quite important the value here we have a magic string um at the beginning it's at microsoft the key vault and then you give it a secret uri now where do we get this particular secret uri let's open a new tab and go to the portal again once we get to the portal we're just going to search here in the search bar and search for our key vault we're just going to type in key vaults navigate to it go to the key vault we created if we go to secrets because we created a secret here here's our secret we're just going to click on our secret the under the current version of our secret we're just going to click on it again wow we have a secret identifier now that we can use so we're just going to copy this particular value go back to our function um in our functions uh configuration window this is where the secret uri is going to be input so there we go remember to close the parenthesis there we're going to click on ok um immediately after this you'll see if we return to this we're just going to save it first it's going to validate this particular reference just to make sure that we have access first of all and that the secret actually exists um yeah and that's when we will be able to be evaluated now if we try to access this beforehand we're just going to try accessing this beforehand now just to see what will actually happen so we're going to scroll up go back to our functions we're going to click on our function we're going to click on code and test so what we're going to do now is edit our code um and access our environmental variable so we're just going to remove all of these and api key environment get environment variable and the name of our environment variable is if we can go back to [Music] our configuration screen i'm going to go back to our function app under configuration here we're going to copy our function we're going to copy our function app setting here which is actually synonymous with an environmental variable okay we're going to paste it here this should not work by the way because a function app is just trying to access a secret uh without any authentication whatsoever without any keys so let's see what will happen let's save it first it's connecting connected we're going to test run it these actually don't matter but let's just run it ah the function compilation has some errors here and actually show you the errors here wow this is powerful so we have a compiler here we see that we have a typo let's just fix our typo here it's good that you don't have to um use an ide uh just for elementary code in our function app so so we see there's another error here we're just going to fix it quickly [Music] save it this is powerful i'm glad this happened because at least we can actually um verify that the compiler works uh as we expect it to perfect so the compilation has succeeded let's test it out we're going to run it look at this this value is not resolved now why isn't it resolved this is because of permissions so let's go back to our functions configuration ah now we see that the key vault reference has an issue here now the reason why the keyword secret is not resolving is because we haven't set up permissions between our function app and our your keyword let's do that we're going to use a system assigned managed identity now what is a system assigned managed identity now we spoke about managed identities being able to allow multiple resources in microsoft azure to communicate with one another without specifying any usernames or keys so what we're going to do now is create a user assign managed identity in this particular function app so it can be able to access the azure keyword secrets that we have defined let's see how we do that in the function app itself we're going to this uh setting to set the identity just scroll down on the left hand pane under settings this identity just click on that you see the status is currently off this is for a system assigned managed identity so we're going to set it to on and save changes just for confirmation so this allows us to access microsoft azure resources without worrying uh too much about azure ad users and groups and assigning access so what we're going to do is we just enable the system assigned managed identity and assign azure permissions to that particular system assigned managed identity now user assign managed identities on the other hand enable you to reuse a managed identity across different resources so you might think of this as an ad group so assigning multiple users to a particular ad group typically how you would use this is create a user assignment identity let's say you have five different vms but all those vms access the same resources so for example if all five vms access the same azure key vault you would create a user assign managed identity activate that particular user assigned managed identity uh assign it to the different vms and uh create an azure keyword policy access police which grants the user assigned managed identity access so you didn't have to set it up for all five vms individually now that we have our system assigned managed identity enabled what we need to do is go to our keyword and grant the system assigned managed identity access to our secrets let's see how we do that we're just going to again go to our azure key vault key volts we're going to select our key vault and we're going to edit this setting called um access policies so on the left hand pane yeah there we go access policies and under access policies we're going to add a new access policy click on the link there you can select from predefined templates for example secret management will ignore keys and certificates and only give you access to secrets but really all we need is just um read access um to our secrets and that's about it okay we have two permissions selected secret principle this is where the magic happens under secret principle that's where we select all of the azure resources that we want to be able to access these particular secrets in this particular azure key vault okay so we're going to select our function app in this particular principle so we're going to select our azure function up here the name is fn use mt3 often use ah there we go there it is just going to select it and we're going to add our policy under policies as you can see our function app has been added with secret permissions secret permissions to retrieve and list secrets that's perfect that's all we need we're going to save our changes here perfect so updates have been saved successfully now we're going to go back to our function and in our function itself we're going to look at our app settings to see if the azure keyword reference has been resolved or not so we're just going to scroll down go to configuration and if you scroll down to our application setting which is our environment variable ah look at this now things have changed after we've assigned a system assigned managed identity and added a key vault access policy now our keyword reference has been resolved now the moment of truth let's see if it worked or not we're going to scroll up we're going to go to functions let's test it out we're going to select our http trigger under code and test we're going to retrieve our function public url copy it to a clipboard open a new tab paste it in wow now this is a random value as you can see it's an api key supposedly now let's compare this to our actual secret in our key vault in our key vault just go to secrets let's select our predefined secret click on it show secret value there we go look at the look at that this is exactly what our function app has retrieved this is perfect movement of truth what if our secret changes now let's just scroll now just navigate back we're going to create a new version for our secret select your secret create a new version for the secret this is a new secret value we're going to create that new version in this particular version we're going to refresh and we see that the value hasn't changed now why hasn't the value changed now this is because each and every secret has a version uri that means if we want to change this particular value we'll have to change the secrets uri this prevents legacy applications from being broken when referencing particular secrets or keys now let's change this we're going to show the secret value here there's the value hide it we're going to copy this version of the secrets uri we're going to go to our trigger as we did before we're going to go to configuration under settings we're now going to edit our application setting to reference the new to reference the new secret version just going to edit this particular part paste in the new version secret uri confirm and save continue now that it's done updating we're going to go to our functions uri and just refresh wow the secrets value has been updated to the secret's latest version this is the latest version of the secret so that's perfect now we know we won't introduce breaking changes if we just update secret versions so that's a brief introduction to managed identities how you can use them to access other microsoft azure resources and how to update key vault secrets thank you for tuning in please remember to subscribe and like cheers for now
Info
Channel: Marvijo Software
Views: 14
Rating: undefined out of 5
Keywords: Azure, Microsoft Azure, Azure App Service, Azure Web App, Azure MySQL, Azure Portal, #MarvijoAzure, Azure Docker, Azure Architecture, Azure Solutions Architect, Azure Certification, Docker in Cloud, Azure Cloud, Azure vs AWS, Azure Costs, Azure VM, Azure VM Auto-Shutdown, Amazon AWS, Amazon EC2, AWS VM, AWS Virtual Machine, Azure Key Vault, Key Vault, Azure Managed Identities, Managed Identity, System Assigned Managed Identity, User Assigned Managed Identity, Amazon VM
Id: eDYfIrUjm-A
Channel Id: undefined
Length: 26min 32sec (1592 seconds)
Published: Mon Dec 06 2021
Related Videos
ARM Templates Parametrization | Expressions, Parameters and Variables
Adam Marczak - Azure for Everyone
20K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Springboard: the secret history of the first real smartphone (Full Documentary)
The Verge
336K
Securing Kubernetes Secrets with Azure Key Vault
Zoom Speaks Tech
3.5K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Kubernetes Crash Course for Absolute Beginners [NEW]
TechWorld with Nana
273K
Glitterbomb Trap Catches Phone Scammer (who gets arrested)
Mark Rober
51M
Demo: Azure App Service WordPress Site | MySQL Container Instance
Marvijo Software
55
Azure Table Storage Tutorial | Easy and scalable NoSQL database
Adam Marczak - Azure for Everyone
36K
Azure Managed Identities - explained in plain English in 5 mins with a step by step demo
azuremonk - cloud in plain english
26K
HOW TO MAKE A SUPER EXTENSION CORD! (Perfect for Christmas!)
Stud Pack
1.1M
Azure AD Sample Application | Custom Claims with Extension Attributes
Concepts Work
2.9K
How to use Managed Identities to access Azure resources securely
KnowOps
15K
Building a DIY submarine
DIY Perks
2.1M
The Big Misconception About Electricity
Veritasium
10M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.