Azure Key Vault Tutorial | Secure secrets, keys and certificates easily

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
if you're building applications and need to manage application secrets or maybe you're managing infrastructure and need to keep those encryption keys secret I just got the right service for you this is Adam and welcome to introduction to azure key vault service ok so let's talk about key vault, key vault has two main purposes one is centralization and second is protection protection of your application secrets encryption keys for your infrastructure and disk management certificates but also has advanced features like HSM protection of your secrets if you need something more advanced so the common case is for using key vault is for instance web applications normally within web application when you're connecting to a database you're storing connection strings and you usually use app settings for that what you can do using key vault is move those connection strings into the key vault so that your secrets are protected but also not visible in the portal it's a great use for also operational perspective once the connection strings are secured in a key vault you can reference them from the web application using something called key vault reference and you simply just use this magic string on application settings and it will automatically pull the value from the key vault granted that there's an access given for the web application although this way of referencing has couple of disadvantages first of all this doesn't work on linux app setting so it's not very good this way also you will see that key in a portal from the operational perspective that is also unacceptable and the third this reference requires you to specify a secret version so if you roll in keys you will need to replace that manually so it's not the best way better way is to reference this through code so it only takes five lines of code in a dotnet core to use a managed identity connect to key vault and grab this key yourself so it's free pretty flexible the common other scenarios are centralizing secrets so if you have multiple services that need to use the same connection string you can use actually key vault to centralize the setting so when you're operational people will actually replace this connection strings all the referencing services will get the updated version and lastly one of the most common use cases for the infrastructure management is disk encryption so using simply CLI PowerShell or maybe arm template you can encrypt your disks using key vault and store that encryption key in a key vault service itself there are a couple of additional features that key vault include for instance firewall so you can get this advanced authorization access from specific networks in azure or specific IPs you have also auditing so you can verify and see in the logs who was accessing your key vault secrets and when with Azure Active Directory Integration you can actually very nicely manage access to key vault through other Active Directory accounts or applications you have also replication so you're making sure that your content is always per application still never gonna lose it and lastly there's always been dynamic scaling so whatever your usage is key vault will handle it and will serve you very nicely and lastly you can access key vault through multiple ways one of the most powerful is REST API allowing you to connect from pretty much any application out there but also you have out-of-the-box SDKs for java .net some modules for node.js libraries for Python and always you are there with CLI and powershell so you can script and automate your key vault access so that I have three demos for you today first of all I will show you how to create and manage your key vault then I will do two applications first of all I'm gonna make a client application logic apps which will connect to key vault and grab a secret and also I will use a data factory which will store secrets and consume them in key vault for the ETL purposes so let's go into the portal so in the portal click on the plus to search for the key vault hit enter pick the key vault service hit create and of course you need to provide a resource group name you need to provide the name a4e key vault this has to be globally unique because this is gonna be your address for the key vault service you need to provide the region for me that's gonna be north europe and a pricing tier of course the only difference in the pricing for is for premium you also get this HSM for your advanced secrets management nothing we were going to take standard today I'm gonna hit review and create validation past and hit create so I'm gonna wait here for a minute after about 30 seconds the key vault has been provisioned so I can hit go to the resource and show you how it looks so first of all this is your DNS name this is the public URL for your key vault service this is especially important if you using REST API you have the pricing information here directory some total request the most important things are always on the left hand side to have your keys secrets and certificates the three most important things that you actually use the key vault for but additionally you have access policies this is where you manage access to your key vault and as you see out of the box I got as a user access to key vault with all the privileges to manage keys secrets and certificates for my key vault so remember that this is very important section because out of the box you can even though you are an owner to the key vault you also need to have access to the data within the key vault to the keys secrets and certificates specifically so if you're starting with key vault remember to grant yourself an access here so you can actually manage the keys yourself if you need to add anything new just get add access policy here and give access to an application or maybe additional users of course you also have firewalls here so that we were talking about that if you want to narrow down the access to the key vault to specific virtual networks or IPs you can do it from here so what would be the demos that we'll work on today I actually have in my resource group paper two things I have a logic app and a data factory I'll start from the logic app so for the logic app if you go there let's start from something simple let's start from HTTP request as a just man normal execution step let's add a new step and search for key vault there's the azure key vault step which allows you to get a secret before we proceed here and login to key volt on the second tab I will actually open that key vault again go to the research group go to the key vault go to secrets and I will actually create one of the secrets so this time I'm uploading a manual I'm gonna give it a name I'm gonna call it my secret and the value will be 1 2 3 and everything as default one of the cool features you can actually set activation date and expiration date for your secrets if you want to do some advanced rolling security options that this key will expire at some point and you are gonna always disable and enable this key to be in active or inactive so I'm gonna hit create now I have my secret so what I need to do right now is go back to the logic app we need to provide the name of default this is just to copy the name from the portal so let's provide it hit sign in and once that pop-up booster just hit continue once you logged in it will create a connection to that key vault and if you have permissions you should see from the drop down your secret can actually save this and hit run so let's see the output within a couple of seconds you will see then we will get a value of our secret in the logic app so successfully check the trigger and we see that we pulled the secret of value 1 2 3 as you can imagine this is not the best scenario but it also shows the principle of logging using my personal account using large apps into key vault and pulling in the secret in case of logic apps always advise you to go to settings and select secure output so that the secret is not visible in the logs a second way you can actually work with logic apps and they let me actually close this and delete this so the second way you can actually pull the secret is using actually manage identity so I'm gonna save this and show you how to do that because right now is using my own account but of course it should either use service principal or you can use manage identity to do so you go to back to load the gap go to identity select it as on enable manage identity for logic app once this is done you will go back to your key vault and you need to grant access of this manage identity to your key vault service so you go back to key volt you go to access policies and of course in previous scenario I didn't have to do it because I was using my own account and I have access to this key vault but now I will be using manage identity which is different from my own personal account therefore I need to grant it an access to the key vault service so you add access policy the only thing you will need here is actually from the secrets you need to get a list if you need and then you need to select a service principle this can be the user or application in case of managed identity is an application so you need to select it from the principal panel you need to type demo and this is demo one of the gaps select it hit add and very important thing that most people forget here is to hit save remember to hit save or your application will be your settings will be lost on closing this window so go back to logic app designer and right now you can actually use maybe HTTP requests I'm gonna show you how to connect through the REST API I so use the HTTP this will be a get request you need URI to get URI just go to your secrets hit on the your secret click on the current version and grab secret identifiers this is the URI at the variant this is the secret version while each secret can have multiple versions but cool thing is that if you don't specify it it will pull the latest value one important thing is here that you need to add an API version in order to be able to call it through the REST API once you do it the only thing you need now is to select authentication so how you're gonna call this API I will actually authenticate through manage identity which I just created and given an access now just set an audience and audience is very important thing and you need to set it to vault.azure.net that means when this will be executed and managed identity will go to azure Active Directory get a token for this service for this audience which is vault.azure.net and using this token will send a request to this secret to this key vault a4e key vault get to the secret endpoint and grab my secret value so let's see if that works let's hit save and hit run then hide this and see the execution of our logic app right now we successfully check the trigger and it finished correctly we got a response of 200 and the value was 1 2 3 that was very easy wasn't it right now I have shown you how to use restful endpoint and also how to use out-of-the-box connector using logic apps but also very common case for using key vault and secrets is using data factory data factory is your ETL tool that allows you to connect from multiple services and when saving connection to those services you can actually use key vault for that so let's go to our resource group go to the key vault and open data Factory hit author and monitor an open data factory window in here go to the author tab and go to connections and first of all you need to create a connection to your key vault hit new find a key vault on this list hit continue call it my key vault select it from other subscription and of course don't forget to test connection and if everything is fine you should see connection successful message hit create once you have the key vault link service which means your data factory can connect your key vault just remember very important thing right now it can't connect there but you need to give an access so go back to your key vault hit on it go to access policies and grant access to the data factory so again add access policy you need the secret permission get and list in this particular case you could just select get but list is also nice for some features so select principal type demo in this case this is the demo2 data factory select add always remember the Save button right now your data factory have an access to read secrets from the key vault so since we have a link service defined so this is how your data factor knows which key ball to use and we have given an access to the data factory to use the key ball service let's do a quick demo test so in my resource group I have a storage account so I will go here to access keys and copy a connection string since I have a connection string copied I will go to my secrets generate or import I'll call it storage and paste the value of the connection string into the secret you can always click on the storage check the current version you can even display the secret value so as you see this is our connection string to the storage account now in the data factory you can actually hit new click on the azure blob storage and here select azure key vault instead of connection string when you do it just select your link service to your key vault give a secret name our walls called storage and if this works if your key vault is actually granting an access to this data factory you can actually hit test connection and if everything works a connection is successful so you just hit create and right now your data factory will be connecting to this blob storage using key vault and the latest version of the secret this is super amazing in terms of operations so let's do a very quick demo here let's go back to storage and regenerate the key this should successfully drop to but we currently have and replace it with a new key including new connection string so if you go back to data factory and test the connection it will now fail because the key vault now currently holds the old value so if you copy the new connection string and go to key and go back to storage and hit a new version and give it a new value and save it now if you go back to test the connection you will see that connection is successful this is how we can manage centrally your keys so let's close off with a couple of things first of all in the key vault itself let's go back to key vault actually maybe use this tab go back to key vault remember that each secret has a version and you can retrieve that version by specifying this version ID in the URL if you don't specify it you always will get the latest but of course you can always check the head version history for each key in a key vault those are the most common cases for the key vault in the next episodes I'll also show you how to encrypt drives using key vault but for today these are the most common cases of using key vault for the application secrets there are many more scenarios that you can use key vault for but today I just want to leave you with one important thing to remember if you're managing secrets certificates or encryption keys key vault is the right service for you and the more secure you want to be the more reasons to use key vault service to be honest I use it in pretty much any applications that I do if you liked this video hit thumbs up leave a comment and subscribe if you want to see more and see you next time you
Info
Channel: Adam Marczak - Azure for Everyone
Views: 129,404
Rating: undefined out of 5
Keywords: Azure, Key Vault, Security, Secrets, Certificates, Encryption, azure key vault, Key, Vault
Id: PgujSug1ZbI
Channel Id: undefined
Length: 18min 43sec (1123 seconds)
Published: Tue Oct 15 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.