Azure Authentication With Vault

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone thanks for joining my talk my name is Ned Bellavance and I'm going to be presenting on how to use vaults as your authentication with Azure VMs so without further ado let's jump right into it so I thought since not everyone is a vault expert that is you know attending this talk I would go just briefly over some of the core concepts within vault server just to make sure everyone's on the same level so if you're not familiar with vault vault is a product from hashey Corp and its main purpose is to store and manage the lifecycle of Secrets so in the center we've got vault server and of course vault server doesn't live in an island there are going to be clients that want to communicate with vault server and there can be different types of clients you could have users you could have some sort of application or service or you could have workstations or virtual machines that want to gain access to what vault is storing for its secrets and the way that they interact with vault server is by accessing it via an API front-end so the only way to talk to vault server is that API now on the backend like I said vault server is storing one or more secrets within its encrypted barrier and in order to get to those secrets you would want to authenticate your clients in some way so vault also has the idea of authentication methods that can be enabled so you can say I trust this external identity source to provide authentication for one of these clients that's going to be key to what we're doing in the demonstration once a client has been successfully authenticated they will be assigned one or more policies and the policies describe what that client is able to do with things on the vault server including secrets so what secrets do they have access to and what can they do with that secret can they read it can they updated can they delete it etc the mechanism by which the clients interact with vault once they've successfully authenticated is by using a token and so all further communication once they're authenticated includes this token which defines things like what policies are assigned to that client and the token also has a lifetime associated with it so the client will eventually have to re-authenticate and then finally all of this highly sensitive information being stored on vault you're probably gonna keep track of what is happening there and so all requests and responses can be logged to one or more audit devices so there's a whole auditing module as well so that's some of the core concepts of vault I just wanted to get those out of the way very quickly now let's move into kind of what we're doing in our scenario so for our VM scenario what I have done is I've set up a few subnets within a virtual network in Azure and we've got a vault subnet a console subnet and a webserver subnet in the vault subnet you won't be surprised to find out there is a vault server there which is also running the console agent and that console agent is talking to a console serv that's sittin in the console subnet console is serving as the storage back-end to vault there's a number of different backends that are supported by vault for storage console is just one of the simpler ones to set up and configure and it's supported by hashey Corp rather than the community so I just went with that out of the box but you could choose whatever storage back-end works for you and I've configured network security groups to allow communication between the two subnets so that vault can use console for storage on the front end of the vault subnet I've given the vault server a public IP address and associated a public DNS entry of vault ACS lab dot us which is a domain I happen to have and so it kind of worked for this scenario and then lastly in the webserver subnet naturally I've got web servers and those web servers are going to want to retrieve secrets from the vault server so they're going to be sending communication out of the web server subnet and to the public IP address of the vault server and the vault server and the web servers don't necessarily have to live in the same tenant or v-net it was just convenient for the purposes of this demonstration so that's the basic setup that we have for our scenario now what are we going to be doing within that scenario so like I said before we have web servers and they need to retrieve secrets for their application or their boot-up or whatever they need the secrets for they want to get secrets out of vault so we need to set up a few components on the different sides so the green box represents what is going on in vault and the orange box represents what's going on in Asscher so in the green box we're gonna have to enable the azure authentication method and then in addition to the authentication method we're going to have to define a policy within that authentication method that's assigned to clients that successfully authenticate and that policy is going to grant them access to a set of secrets the secrets that the web server wants to get to on the Azure side of things we're going to be using Azure Active Directory a tenant and Azure Active Directory to provide that trusted authentication that vault is going to rely on and in order for vault to verify that an authentication is successful it's going to have a service principle within that azure ad tenant that gives it access to validate when a client is saying that it has successfully authenticated and then in order for clients in this case as your virtual machines to authenticate properly they're going to be using what's called the managed security identity which is a basically a service account that the azure VMs can get when they boot up and then they can use that service account to access other things in Azure ad or get an authentication token so let's go ahead and set up the vault server components and then come back and look at what the workflow looks like for this alright so we're gonna do the code portion of this using Visual Studio code and I've got pretty much all of the demo instructions in the top pane because I'm a terrible typist and no one wants to watch me fumble around a keyboard so you remember from the previous graphic one of the first things we need to do is create that service principle within Azure ad and in order to do that we need to get some information so the first thing that we like to do is get information about the subscription that we're going to be creating a service principle for and assigning a role to so we'll run a count show and that will give us some information about one of the subscriptions I have and we're gonna need the ID so we're going to go ahead and drop that in here to store it later we're also going to need adhere for this command so I'm going to drop it there too and we need the tenant ID which is the ID of the azure ad instance and we're going to need that information a little bit later as well so we've got those two now the next thing that we're going to be doing is running this big long command and essentially what it is doing is it's creating a service principal named vault hugs and we're giving it the role of contributor and the scope of that role is for the subscription that we just queried against and there we go so now it's created that service principle and assigned at that role and returned back some information to us we need the app ID that's kind of the equivalent of the user name for the service principle and we also need the password which is the equivalent of the password now in the parlance of vault it calls it as your client ID and as your client secret but that's basically the username and password right that's pretty straightforward so now we have all the information we need to assign that service principle to the vault server so let's go over to a separate window I've got a SSH session already going with the vault server I'm already logged in to the vault instance so now we can set some of these values that we just exported from the azure CLI so I'm going ahead and export those two values and now grab these two and export those as well all right so we're all set now the next thing we need to do is enable that as your method so we are going to run vault auth and Abel a sure and what that does is enable the azure authentication method at the path a sure so by default if you don't specify path it uses the name of the authentication method now that we have it enabled we need to configure it and the configuration information it needs is give me the tenant ID because I need to know which as your ad instance I'm using and then give me the service principle information so I can authenticate against that tenant and since we're using public Azure we're using the resource management as your comm if you're using like one of the special gub clouds or something that management URL might be different so we'll go ahead and run this command and that has now successfully configured the azure authentication method now remember those web servers are going to want to get a secret out of the vault server so we're going to enable a new secrets engine at the path web kV of key value type and then we're going to put a secret in that new secrets engine the name of the secret is web pass and within that we're storing password equals hugs for all oh isn't that nice now remember the other component of this is a policy we want to grant the web servers access to get that secret via a policy and we're going to be doing that through a file called web Paul to define that policy so let's see what's in that actual file and if you look down basically what we're saying is in the path web KB slash star so anything that's in that path we want to grant the capabilities of read and list2 anything that's assigned this policy so we're gonna go ahead and run this command which creates the policy and names it web now we have our policy we have our authentication method now we've gotta kind of stitch it all together and say how do I assign that to one of those web servers well that's where we create a role and the purpose of that role is to assign a policy so in the policy setting we're saying web you could list multiple policies but we only want one in this case and then how do we know where to assign that role so the bound subscription ID defines what subscription IDs might get this policy and so we want to use the subscription ID that we already stored and then the bound resource group says any resource that is part of this resource group in this subscription I want to grant this policy too and our web servers are going to be part of that resource group so let's go ahead and run all of this mess there we go we've successfully created our role so as far as the vault server is considered all that work is now done now we can flip over to another SSH session that I have with the web server and why don't I kick off the apt update and install we're gonna install nginx and JQ on here I'm gonna go ahead and kick those two off and then we can step through what the workflow is gonna be for it to authenticate and retrieve that secret so I'll just kick that off and go back okay so what's the workflow look like for this well the web servers are gonna talk to Azure ad and say hey man I need a token I need to authenticate something else so give me a token and as your ad is gonna see that it's a part of a managed security identity and say sure you got it man here's your token with your authentication access token included in the response you can go ahead and use that have a great day web server says awesome and then it takes that token does some transformation with it and then sends a new request to the azure authentication method on the fault server with a JSON payload containing that token as well as some additional information the Azure authentication method checks back with Azure ad and says yep you're all good you're in the subscription ID you are in this resource group I'm going to give you this policy and it gives it the web policy along with a vault token and that policy and token grant it access to go and grab that web Cavey web pass secret that we stored earlier so that's the overall workflow of what we're going to see with some of the commands all right good so the install has completed thank goodness next thing I just want to open that firewall port for nginx so we can see something on port 80 cool that's done and then I would want to export the value of the vault server just because it's easier than typing it out so now we want to get some information from the metadata service that exists for a sure VMs the metadata service is hosted up special address and it allows as your VMs to get information about themselves from Adger so by running this curl command at the special address we're pulling some information down and if we run echo metadata and pipe that through Jake you just to make it a little easier to read you'll see there's a bunch of information about this VM in here that it collected about itself so it knows what the resource group name is the subscription ID and it's virtual machine name we're going to need all of that information to go talk to vault especially the resource group name in this subscription ID remember that's how it determines what role to give us so we're gonna extract those three values out of that metadata response so let's go ahead and do that alright so we've extracted those values now we need to get that access token from Azure ad and again we're using the metadata special metadata service and address but the path is a little bit different now we're at hitting identity Oh off to token and requesting a token from Azure ad so let's go ahead and run that and if we look at what is in the response and pipe that through JQ as well it gives us this really long string which is the access token that's the information we need that's the that's the thing that the azure authentication method on vault is going to want so we're gonna extract just that value from the response and put it in a temporary variable named GWT now I have a file on here called auth payload JSON and that is the authentication payload and if we take a look at what's in there I've got placeholders for all of these values so I'm going to make a copy of that file and then run these said commands to substitute the correct value for the placeholders that are in that file so go ahead and do that and in a real life scenario you might have that off payload JSON as part of your web server image and then just copy it like I just did and place the proper values in there without overwriting the original file now we have our payload all set and we're ready to talk to the vault server to log in so we're gonna do a post request against the vault server and pass it this completed JSON payload to the path off a sure login and when we do that if I've set everything up correctly I should get a login token back so let's just do see what's in there and sure enough I got a roll of web roll I got the policy of web and I got a client token to do further access against the vault server so now I want to extract that client token and place it in a variable of vault token so I can use that for future requests to vault server and last but not least let's try to get that password that was stored in there so I am going to issue a new request against the vault server using my newly minted vault token and I'm going to be requesting the information that's stored at web kv web pass and parse that through JQ just to extract the password value that's within there and if we do an echo of web pass now we can see we got the password we got what we wanted it's hugs for all and then if we were you know setting up a web server we might take that value and put it on a web page for some reason we can go ahead and do that and if we copy that newly minted file to here and restart nginx that should now be the web page on our web dash zero server let's jump over to the azure portal this is our web zero virtual machine I'm gonna go ahead and grab the public IP address for that and let's go to http IP address and there we go the secret pass phrase is hugs for all so just to recap we were able to authenticate an azure VM to vault using the manage security identity and then retrieve a secret and what we did was fairly trivial in terms of what we were retrieving but you can imagine the different use cases that would apply for using this type of setup so that's it that's my talk thanks everyone again I'm Ned Bellavance if you want to know anything more about me you can find me on twitter ned 1313 i'm an author on Pluralsight i have a course about vault coming out pretty much any day now I also blog at Ned in the cloud dot-com and I've got a podcast called buffer overflow that you can find in the iTunes Store thanks again and enjoy the rest of hashey talks
Info
Channel: HashiCorp
Views: 4,625
Rating: 4.8064518 out of 5
Keywords: HashiCorp, HashiTalks, Vault, HashiCorp Vault, Azure
Id: aM5gmMSTmJc
Channel Id: undefined
Length: 19min 52sec (1192 seconds)
Published: Thu Feb 21 2019
Related Videos
Azure App Service Updates: Support for Availability Zones and more
Azure Power Lunch
140
Azure Key Vault RBAC and Policy Deep Dive
John Savill's Technical Training
5K
Azure #6 - Virtual Networks and Subnets | Azure Tutorial
Will Brock
7.6K
Introduction to HashiCorp Vault with Armon Dadgar
HashiCorp
128K
KubeCon NA 2021 Technical Demo: Multi-Cloud Kubernetes with HashiCorp Terraform
HashiCorp
818
Top 10 Best Practices for Azure Security
Microsoft Security
14K
Azure AD App Registrations, Enterprise Apps and Service Principals
John Savill's Technical Training
48K
Running HashiCorp Vault on Azure Container Instances
Ned in the Cloud
264
The kernel report
linux.conf.au
62K
Azure Databricks Tutorial | Data transformations at scale
Adam Marczak - Azure for Everyone
162K
Showdown - Service Endpoints vs Private Endpoints in Microsoft Azure
HarvestingClouds
12K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.