Azure Key Vault & Managed Identities: A Beginner's Guide to Secure Credential Management

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello guys welcome back to our Channel my name is balam Prasad and I'm working with Microsoft as a senior software engineer and in today's demo we are going to see how we can secure our credential using keyal and managed identity so let's talk about what are the portable credentials in azour portable credential in azour are like a special key connection string or some secret provided to connect that service so that we can use that service in our progams portable credential is one of the way to interact that service to connect that service they are very handy but we need to keep them safe so that and if other people get that key or secret then they can access that service you might have a database where you are storing some consumer related things maybe also payment related thing if somebody gets that key or connection string and try to access they can access all the things right then we need to think about how we can secure this one how we can keep them safe is there any other way to access that service without key that will be a perfect solution right so let's go in Aur portal and try to see some of the examples right now we are into AUD portal and we are going to see how this key looks like right I have this Cosmos DB where we can go to key section and we can see there are different type of key read R key read only key there are primary key secondary key and connection ising based on that one so there are mostly two key is provided always so that if you want to rotate that one as a good practice you use secondary rotate primary change that one and then rotate secondary that's how we can generally do and if you have only need for read only then just use that one read right if you did use that one if you go to another services such as you see that Storage storage has also a key section where we can get the key and you can also rotate set the rotation reminder for that one so that we don't forget to rotate similar thing we have for app configuration where access key is provided and these are the key are the portable credential which sometime poses a security risk these are very handy but this has additional risk also the risk is that if somebody gets them right they can access our data or services so we need to secure this place so if you see that that example if somebody gets one key also they can go and look for one key they can connect with that key try to find different key get that another key if they can able to get that one then they can excal the Privileges they can connect in they can get all the data right that's how this portable credentials is risky right so we need to find a way how to secure them and if we have any chance not to use this key by directly going with some other things where we do not have to put any key into our code and other thing that will be a good solution right so first we are going to see that how Aur key wordss come into the play and then we will see that managed identity also so Azure key Vol is a service provided by azur so that we can keep this secreted safe we can write some codes where we can connect to that keyal get the credential and use that one so that we do not have to store that one into our code but the same thing right rotation you have to do rotation we have to make sure that how you are accessing keyword also properly who have access to the key and other things right so generally typical wave was there that we used to connect using the help of service principal we used to create service principal and then using certificate is the one of the way our service principal provides a key but if you get the service principal key in put into code itself or config itself then the same problem that you have to maintain that key right which will be used to connect to that or either that certificate you you have to secure that one which will be used to connect to keyal then that is the chicken egg problem right for securing all the secret you need to secure one at least and that problem is solved using managed identity right managed identity we do not have to manage any secret managed identity secrets and other things is managed by AUD itself that makes our life very easy because now we do not have to store any key inside our code configuration or if any Services is providing that manage service connectivity then we do not have to use any portable censal and put into keyal also we can directly connect with that service itself right so what are the different benefit of managed managed identity directly as I talked about that one it has many benefit right it simplifies the managing credential because now we do not have to manage any credential if we are directly integrating with that service like in case of Aur storage then we do not have to rotate any key because there is no key itself we are using right we can disable that portable credential secret itself and use by a and managed identity so we do not have to go via keyal also and that makes our life very easy right so for this demo I have created a rest based API project where I'm going to connect the storage and getting the blob name so I have created a storage also and this is the storage which I'm going to use and if we go to browser and if we go to Containers we can see couple of file like I have put for listing purpose and then we have access key which connection string I have took from this point and I have used inside our code and I have added that connection string into our app setting file and this is very old way of doing things to connecting any Services where we put the connection string key and other secret into to settings file and this POS a risk because if we commit this one into our repo and other things this key will be shared by a lot of people and people who has access to the repo and other things they will be able to see and they can get and they can do whatever they want to do so this is not the good practice we should not use this way and that's why I'm starting with very basic and then I will slowly move to keyal and then how to connect to keyal and then I will move directly to use Mi to connect this blobs right so that is the plan so let's go ahead and run this one right now if I go and try to run that and this is that API which I will run that now so if I go now I'm getting the connection string from my configuration and if I go and run this one it will turn whatever blob name is there so let's go and see that one this is the blob name two blobs are there so this is one way of doing and this is very old way of doing things but this is not the secur way right so we have to make it secured so now in next I will move this connection Str string into keyal and see how we can connect to keyal and how we can get that one and then I will update that keyal code also to connect with the managed identi now I have created this keyal and added one secret and where I have put the connection string and now I am going to create a service principle which was the second version which I wanted to show that how to connect with service principal and then let's go and create a service principal in into a Jude active directory which is now called inra ID so I will go for app registration and I will create a new registration where I will say Mi demo and then I will register that and this Mi demo I will give the access to my key world and let me add this keyal as a secret user if I will add this one this SPN will have access to my keyword to add access right uh now I will use this keyword and this SPN to connect with from my code so for using this application ID we need to create a certificate or upload a certificate here or we have to use client secret and this certificate or client secret should be there on client machine from where that code is running so I'm going to create for now a client secret so let me take this one and let me put inside this one so that I can use and I need a client ID also to connect right so let me put let me add into code now if you go into our app settings I have added app settings like client ID client secret ENT ID ENT ID if you go and figure out with our tenant ID where tenant ID is there so we can go to properties and we can see object ID and other things and we can go for more details from intra ID where ID we can get and here if you go to app registation on one more time so if we go for all application Mi demo we created and we have created secret name where J MH starting so if we go and see JM starting so all the detail I have put I have created using all this using client secret credentials and connected with key world to get that connection right and con after that one I'm connecting so so this is one way of doing things let's start and see that if that works or not now it is going to connect first with our secret and this is our key VA and if you see this one so this is going to connect it is connecting right now it is going to get the secret and if you see it is able to get the connection string from that keyal and we are able to run this program right so this is one way of doing things where we are putting connection string into key the problem is that one secret we have to maintain inside the secret right inside our app confi that is also not good right so we have to remove this one and if you see that one right now we can use this service principle to connection object if I go ahead and instead of adding into this this is our storage right if I add this to storage that our SPF and I can access via spin also so if I go and see that storage and I go and keep this guy as a reader and if I add my Mi demo SPN over there I can add I use that spin directly to go I do not need any connection string right let me go ahead and show that to you so I can go ahead and create so this is URL this is our stor it this is I'm this is I'm creating a blob service client using same thing right and then I'm going to use this one client do get Blob client and I can pass that container name which is here and using this SPN I can directly connect without going to keyal also so let's see that if that works or not so it takes some time to propagate so let's wait for some time just added so let's see that one it is giving the authorization permission mismatch so let's wait and I can go and see one more time I've given blob data reader to this resources let me go to container and let me see if container has that same thing or not it is here also I hope this is should work now so let me start one more time this time it is working takes some time for pration so if we see this one uh this is coming right so this is one way of also connecting but the still the problem is same that we have a key to maintain here and rotate that one so let me go and now go with this client secret only but I will use managed identity now so when we are going to use managed identity while developing the app application make sure that we are logged in with proper credentials using this one so right now I have two logged in here and default directly this one is going to be used right now and we can see that configuration from going inside tools and options tab also where we can choose account for aour service authentication and for using managed identity we need to go inside eval and any other resources and we have to give the proper access right now because we are using my account in Visual Studio I need to give that account so I will give that account as a keyal secret user and I will go ahead and select my user which is going to be used from there so now this user will have access over there and same way if we will deploy this application to any Aur services like app services or function app then we have to enable identity and give the access to that identity so this is what code looks like so let me see that one if using default Azure credential I able to connect or not right so let's see that I able to get using default Cent cenal so in this case right we will not have to manage anything any application Secret inside our code and it will be secure right so let's go and see now result is coming but if this service itself that storage service itself is providing the connectivity using manage identity and other things so why should be used keyal and cigaret also right that is the main purpose also right if any service is not supporting then we can go ahead and use this way but if any service is supporting let me go ahead and let me see that I have role or not so I do have role as a storage blob reader and we can go and add if we don't not have we can go and select and for all the resources there are different type of Ro if we have seen that keyal has secret user secret officer keyw key reader and other things for storage there are storage blob reader storage data reader Logics different teers so there are different roles for different sources so this has that so let's see into our Visual Studio that how it works all this code right let me remove first this client ID and secret because anyway we move to default client and other things so it is not required at all I will remove everything we do not need anything into code I will go ahead and remove all this because now I do not need to connect with keyal also right I I can go ahead and try to connect using all this by default using client SEC if I go and say that default credential with blob service client itself right so if this code should work let's give a minute and then I will try it yeah it is generating and it is giving the names for that so now if you are using default Azure credential then whatever login you have done inside Visual Studio it will be used or if you are deploying this kind of application with anything like if you're are going to deploy this one inside suppose you have a function app and if you deploy it inside function app then you have to go and enable the identity and add this guy into your resources or if you have any app Services suppose let's go and try to find some app Services inside so most of the resources supports that so if we go and see that any API World also that identity it is enabled and you can have system assign also user assign also but system assigned is good enough so that it will make secure from this system only it will go and this is how we can connect once you deploy this one default Azure credential will go with this a this identity and it will connect to resources and once we are done if we are not using any exess key it is better to go ahead and disable that one and for that purpose you can go to configuration for that kind of resources maybe different places and you can go ahead and disable that so it will be that whatever key is there it will be not used and no longer will work and that's how we make resources more secure and without key we can connect using ad and token which has a limited way and also managed identity so for conclusion of this demo that if we have any secret which we need to use and that service is not providing any connectivity using managed identity then we can use Azure keyal and put into that one and connect that Azure keyal with manage identity so that we do not have to use that one aure keyword provides managed identity connections and if that service is providing the direct connectivity using managed identity in that case you do not have to put that key into your key Vault and you have to rotate and set the rotation policy and maintain that one so this is what I wanted to cover in this video I hope you like this video thank you
Info
Channel: SoftWiz Circle
Views: 203
Rating: undefined out of 5
Keywords: ManagedIdentity, AzureKeyVault, CloudSecurity, AzureStorage, CredentialManagement, SoftwareEngineering, azure key vault c#, azure key vault step by step, azure key vault managed identity, azure key vault secrets, azure storage account, azure storage, cloud security fundamentals, microsoft azure tutorial, managed identity, azure key vault, managed identity azure, key vault azure tutorial, key vault managed identity, azure key vault demo, key vault c#, azure key vault rbac
Id: znFEdszflsE
Channel Id: undefined
Length: 19min 1sec (1141 seconds)
Published: Mon Jan 08 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.