Azure Key Vault Tutorial | Secure secrets, keys and certificates easily
HTML-код
- Опубликовано: 10 сен 2024
- Using Azure Key Vault Service allows for centralization and protection of your application secrets, certificates but also encryption keys for Virtual Machines.
In this episode I give you introduction to what Azure Key Vault service with few demos using Logic Apps connectors, MSI with REST api and data factory.
Want to connect?
- Blog marczak.io/
- Twitter / marczakio
- Facebook / marczakio
- LinkedIn / adam-marczak
- Site azure4everyone...
Next steps for you after watching the video
1. Azure Key Vault documentation
docs.microsoft...
2. Understand basic concepts of Key Vault
docs.microsoft...
Adam you are an Azure Rockstar. its like magic, you know all the questions i was going to ask . Thank you sir for all your hard work and the great videos.
Perfect Intro and reference for anyone wanting to keep creds out of code. Surprising that so many don’t use it! Thanks Adam with so many calls to API keys essential.
My pleasure!
Awesome video! Here you got not only Key Vault, but a very nice demo on how to use a Managed Identity in a perfect scenario using Logic Apps, the other good thing I learned from this video was how to use all together with Key Vault and a Managed Identity: Key Vault, Logic App, Managed Identity, Storage Account, and Data Factory.... I can't believe somebody gave a thumbs down.
Thank you so much :). All I can say... there is no man to please everyone. Thanks for the support!
first time I watched ur video yesterday.
Bt now I am addicted to watch ur videos
ur video is smart and lot to learn from ur videos, keep it up
Thank you so much 😀
Thank you so much Adam! Appreciate your efforts in putting together these details so precisely
My pleasure! Always glad to hear feedbacks like this!
Thanks for this demo. Helped me resolve a very basic issue I was having with DF
Awesome :)
Informative video. Thanks. Remember to always hit SAVE is right. Easy to forget.
Thanks! :D SAVE SAVE SAVE :D
I watched it 3x and shared it with my team. Thank You so much.
Awesome Susan! :)
Thank you so much, it really helped me to finish my work, also I love you explanind how to achieve this in 3 ways, 🧠👏
I think I have adopt you as my teacher fromnow on!
Hah, thanks!
This helped me understand key vault. Thank you very much for this session.
Glad it was helpful!
What if I want to encrypt my client secret using a key in the azure key vault? Isn't this impossible?
I've been trying like hell and can't figure it out.
Hi Adam, I got: "Could not load file or assembly 'System.Runtime, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a". Any suggestions?
Try updating .NET SDK and packages to latest version. A little bit of googling also should suggest many other solutions. Typically this error means you have one package that requires packages in certain version which you currently don't have installed.
Very helpful Adam. Thank you.
My pleasure!
Hi, I have question. I am working on a envelope encryption of azure blob storage. I am enabling the immutable policy for the blob storage. During the time of key rotation, the DEK that is present in metadata of the blob can be modified.?.As the immutable policy is not allowing to set the metadata..
Hats off to you!
Thanks!
Nice Adam, Its fair enough explanation..Please add one realtime example
Very simple explanation and demo. Super useful. Thanks a lot.
Cheers, great to hear that!
Great video! Very clear, informative and comprehensive.
Glad it was helpful!
having issues when using reference to pass keyvault secret to sharedkey when creating azure site to site connection deployment fails
thank you Adam, well done
Thanks for watching!
Amazing explanation! thanks for this useful info
you are my azure mentor!...thanks again Adam!
My pleasure!
hii adam i am using trial suscription but for me logic app designer is not present in my azure portal
Thanks for this nice demo
My pleasure!
Thanks for sharing
My pleasure
Thanks you for the demo.
My pleasure!
after I created my secrets how can i change the value of the secret? for example if a secret is a password and the password change
Hi does Azure Key Vault Manager HSM can store secret connection string to database like Azure Key Vault ?
Thanks Adam for this
Thanks for watching ;)
Exactly what I was looking for, good that you keep it so simple and easy. :)
Superb! Thanks!
Is there any video on Azure aks cluster scaling?
I don't have AKS covered yet, sorry!
Has the AzureServiceTokenProvider been deprecated or replaced?
If there are two different accounts, (A and B), and if account A wants to access a key vault in account B, how do I setup the connection in between account A and B?
Great tutorial! Thank you for this
Awesome demonstration! thanks Adam
My pleasure!
Hi, my company's auditor asks to encrypt mongo DB whose key should be managed centrally. Could you give me a few hints on how to combine DB encryption and Azure key Vault?
Unfortunately, I'm not a mongo db expert, you need to check their documentation on this.
How does this differ from azure app configuration????
Azure app configuration vs azure key vault??
Tricky question. I did mention this in my app configuration video. Currently app configuration works on top of key vault as an abstraction layer. Unfortunately because Key Vault SDK is so great the app configuration typically doesn't deliver enough features to justify the price. But the purpose is more or less like this KV: secrets (all highly secure credentials), app config (key vault references for secure config items, and general app configurations that are not secure (web service URLs, production/dev configs, etc). As such app configuration is just azure app service app settings section externalized as a service so that multiple applications can source their settings from a single place rather than repeating config for all apps.
Thank you for this . Could you do a tutorial on applying key vault to tables on a database?
Here docs.microsoft.com/en-us/azure/azure-sql/database/always-encrypted-azure-key-vault-configure?WT.mc_id=AZ-MVP-5003556
Good Video
Thanks for the visit :)
Hi Adam thanks you very much for you videos, you rock !!! so much :)
My pleasure!
@
Adam Marczak small question. I have a FaaS: Azure functions + API management. I need to give users API endpoints to manage certifications .p12 (Add/List/Remove). The certifications are not mine, they are from 3rd company, my users need to provide me certifications to use my Endpoints. Is an Azure Key Vault a good choice for that? Or I should go with Azure function + storage?
Unfortunately this is no longer technical question about Azure. This is a design question which you need to align depending on your system requirements. Overall you should use Key Vault to store certificates but you need additional API layer to manage RLS on top of the key vault. You can do that in Azure Functions if you want.
I liked you videos, simple and understandable. Can you also please make videos on authentication for .net like Azure AD and B2c
Thanks, suggestion noted :)
a lot for learning from this video. Great. could you also demonstrate how to use these secrets in vms, azure devops pipelines .
Hey thanks for watching. I added your suggestions to list of possible topics, will review them after I finish my current schedule! Thanks!
Great explanation ! I will definitely fallow your channel
Awesome, thank you!
Mind blowing... Thanks for the great work
Thank you so much 😀
Thanks Adam. Very Helpful
Thank you, glad you enjoyed it!
How can I get a secret/certificate from other application (say written in ASP .Net)? Do I need to provide any app access or through the default access policy it will work?
Of course you need to grant it an access. Just like shown in the video and the demos.
Thanks for the great video. I am using a container instance to deploy an application, if I want to add SSL to it. Can I use keyvault certificates and keys to set SSL up?
Thanks alot Adam for this video
11 month subscriber! Nice! You are with me since almost the beginning! Appreciate your support ;)
Can we store PGP encryption's private keys also and access it using REST API's of Azur ?
You can store them as secrets and retrieve them using rest api. docs.microsoft.com/en-us/rest/api/keyvault/?WT.mc_id=AZ-MVP-5003556
Thanks, very helpful. :)
Thanks Praveen! :)
Thanks adam =)
Trying to connect an AAS tabular model to a Synapse database using SQL credentials. Is it possible to store these credentials in the key vault and reference them in AAS? Have not been able to find any documentation related to AAS integration with the key vault.
Hi Jack. Unfortunately this scenario is not supported at this time :(
How do we know which api version to specify in the HTTP request for the secret?
You can always check API versions in the documentation docs.microsoft.com/en-us/rest/api/keyvault/getsecret/getsecret
After disc encryption without aad, how often is taken the secret from key voult?
Hey Kuba, I actually never checked as it wasn't relevant to me. If you need this info you probably can check Azure Monitor for keyvault calls. Not sure if documentation is so detailed to specify this.
thank you, you explained it very well,
Thanks Bryan! Glad to be of service.
Can I set it up so that apps/scripts I sign with my codesigning cert are automatically trusted to request a secret?
Create service principal and upload your certificate.
Add access policy to this principal.
Then use that principal from the code to connect to key vault to get secret.
Everything is explained here: docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-3.1?WT.mc_id=AZ-MVP-5003556
Thank you for the information! I have a question about retrieving a private key using a logic app or a function. I have a case which involves using asymmetrical encryption, one side was given a public key (by us) and our corresponding public key needs to be entered in order the access their file. They only thing I see, which I don't want to do, is add the private key manually in the api connection set-up. Any advise? Should I save the private key as a secret? Thank you.
Thanks for tuning in. I think you might find this conversation useful: stackoverflow.com/questions/51940248/is-it-possible-to-get-the-private-key-out-of-azure-key-vault-keys
hi Adam,
could you share how to add file.key and file.crt into a secret and get it through AKS secret?
Thanks Adam, this is helpful. Can we get similar demo for functions with azure key vault ?
Noted! Although you can very easily integrate them by using key vault references with no coding! docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
Hi Adam, Can you pls share some insights that if we want to monitor our Azure Key Vault, how can that be achieved?
The problem statement is that there are hundreds of customers with their specific customer ID now whenever they change their password we need to know about that someone has changed it.
we have the list of all those customer ID?
please share your views on the above because I am not getting any stuff on the Azure key vault documentation so that's why I thought to discuss this issue with you....
Note: Azure Monitor we cannot use because our servers are differently managed so pls share any insights of independent with Azure Monitor....
Check if this automatic key vault logging fits your needs docs.microsoft.com/en-us/azure/key-vault/general/logging?WT.mc_id=AZ-MVP-5003556
Adam, can you create a small demo to use Key Vault with third party tools. Specifically how you manage your keys through Key vault.
How can Key Vault be used to secure the existing connection strings in web.config and app.config?
Yes it can and it should be. In new versions of SDKs ConfigurationManager.AppSettings automatically picks those from app settings on app service or you can simply use few lines of code. There is a lot of info depending on language on how to do it.
@@AdamMarczakYT Will you be able to do a demo on how to turn our existing connection strings in web.config and app.config to an encrypted alternative via Key Vault? Thanks.
Hopefully at some point but I have currently pipeline set up for next 10 videos so probably in a while. But if you check this guide azure.microsoft.com/en-in/resources/videos/configuration-and-app-settings-of-azure-web-sites/ and then use Keyvault reference from my video (or here docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references) it should work out.
@@AdamMarczakYT I will certainly have a go at this.
Thank you.
Hi Adam! Great video, thanks. How can I backup all values in KeVault in case of losing them?
Please remember to not underestimate Microsoft docs. If you would google "keyvault backup" you would find this page as first result docs.microsoft.com/en-us/azure/key-vault/general/backup?WT.mc_id=AZ-MVP-5003556 . Microsoft docs is very well organized and has plenty of common questions and scenarios already explained very nicely. thank you again for watching :)
how to store ssh private key in azure key vault
Thank you. I am trying to execute it with PostMan, how do I set Managed Identity?
If you run postman on a VM that has managed identity enabled then you can use local endpoint for token.
docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token?WT.mc_id=AZ-MVP-5003556
what is a logic app?
Strategy question: If I have an encrypted file for each user of an app (containing highly sensitive data), should I use a single vault key to unlock all the files? A separate vault key for each user (which looks expensive)? Or mix a user-specific non-vault key with a private single vault key?
Enjoying your videos.
Thanks. As to your question. You can't fine grain permission per secret/key level so it depends on who will have access to the key vault. Remember that users can decompile your application if it's client side. Also I'm not sure what do you mean looks expensive when key vault is priced per transactions and keys azure.microsoft.com/is-is/pricing/details/key-vault/
@@AdamMarczakYT Yeah thankfully it's all server-side what I'm building. Clients will be very thin and use JWT to hold access. I did see that pricing page (in USD) and I guess it doesn't make sense to hold anything end user-specific in the vault if that's the case.
I'm new to full stack development and maybe I'm just being paranoid about user files getting cracked, and it's making me overcomplicate key strategies.
Paranoia is good for security ;) but if JWT in client is to your API it's ok, if it is to key vault then not really ;)
@@AdamMarczakYT thank you, very helpful. Look forward to watching the rest of your videos.
Great tutorial! I am trying to integrate my ASP.Net Core application. How can I create a development environment for testing purposes that does not require deploy to azure every change?
Hey Eryk. Do you mean how to run asp.net core app locally? Because both visual studio and visual studio code allow for local debugging. Although there is no official keyvault emulator from MS at this point in time. Only some open source by some users. Thanks for stopping by! :)
@@AdamMarczakYT I mean, how to test if there is a connection between Azure Key Vault and my ASP.NET Core Application during the development.
Unfortunately as I said, there is no keyvault emulator. Normal development practice means create development resource groups with development instance of key vault. And then separate for uat/sat/prod environment. There is no static charge for keyvault, it doesn't cost more having more. I think this is general pattern for cloud development. Most services are online and require connection for development purposes.
Hello "Azure 4 Everyone", are the elliptical curve encryption keys usable with a solution of keys managed by the customer at the level of an azure storage account. For my part I cannot use this type of key. I have the following error message: encryption.keyvaultproperties.keyname.
Hey, I think they are supported but not from the portal, you will need to use SDK like .NET or REST api to upload them. I've seen some references in the past on the web how to do it, but I personally never had a chance to work on scenario like this. A quick google might find you some good results I think. Best resource I found is here: azidentity.azurewebsites.net/post/2019/05/24/ecc-certificates-in-the-key-vault
Also it looks like Azure CLI also supports it with --curve parameter
ref: docs.microsoft.com/en-us/cli/azure/keyvault/key?view=azure-cli-latest
@@AdamMarczakYT Thank you for your information however my question is how to assign an EC encryption key to my azure storage account from Azure CLI or Powershell.
Ahhh! I misread your question. Unfortunately I don't know, I'll check with some of my colleagues and revert here if I find anything. Thanks for checking out and commenting.
@@AdamMarczakYT To add details on the actions that I carried out to try to solve my problem I followed the instructions presented in this official microsoft link and at the step "Configure encryption with customer-managed keys" (link : docs.microsoft.com/en-us/azure/storage/common/storage-encryption-keys-cli) I got the message error message: Values for request parameters are invalid: encryption.keyvaultproperties.keyname. As a reminder, I carried out all of the orders in Azure CLI.
I also looked through the following documentation (docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption) and in the section "Store customer-managed keys in Azure Key Vault" the following remark is mentioned: "Only RSA keys of size 2048 are supported with Azure Storage encryption". So why does Microsoft offer encryption options based on EC keys if it is not supported?
Thanks Adam. It is very useful. In which case will we use the certificate and keys
Thanks. Certificate are just like better passwords that are stored as files. So it is recommended over standard passwords if you apps support it. Keys are usually used to encrypt drives on virtual machines.
Good One. Will try the same ...
Please do :)
@@AdamMarczakYT Cool !!!. It is working really well !!!. Azure Key Vault is really awesome !!!
azure key value store secrets of azure active directory user account >
A. No change is needed
B. Azure Active Directory (Azure AD) administrative accounts
C. Personally Identi
D. Server application
You need to do your quizzes by yourself :) You can do it!
Very useful video, thanks for sharing your knowledge. How do you get the list of Audience's for the different Azure services? I'm trying to connect logic apps to data factory through an API call, and want to use managed identity, I just can't find the audience for data factory
Thanks. Here is the list of supported services with audiences listed docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities but data factory doesn't have it's own API. You use azure resource manager to execute pipelines via REST API so use that audience.
@@AdamMarczakYT awesome! thank you again
Thanks, but the tutorial seems to only cover secrets and not certificates.
Yes, you are right. Unfortunately due to self-imposed time limitation of 20-30 min video I can't fit all possible features of a service, otherwise this video would be hour+ long. Typically I choose the most commonly used features and the coolest ones and try to showcase them in a live demo. I try to talk about most features on the slides though.
Great video, Do you have a video showing key vault and connecting to SQL Server which will have a sql login and password?
Hi Roger. If you are developing applications, be it in C#, Java, NodeJs etc. then my recommendation is to use Managed Identity to connect to Azure SQL in a passwordless way. This was you might not even need a key vault, unless you store some extra things. But managed works also for key vault. Definitely an amazing feature to use. Here is my video on the subject if you are interested: ruclips.net/video/sA_mXKy_dKU/видео.html
Great advice thanks Adam for the link
Thanks Adam for great video👍😊, I have a scenario where I need to send the CSV files to azure container from Unix, if possible could you share a video which can explain how can it be achieved? Can we use python to send the files from Unix to azure container?
Try AzCopy docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs?toc=/azure/storage/blobs/toc.json?WT.mc_id=AZ-MVP-5003556#upload-files
@@AdamMarczakYT thanks Adam, I will try this & let you know the result.
@@AdamMarczakYT hello Adam, Azcopy command is used to upload the files from local system, however I want to upload the files from unix to azure container. Can we do SFTP to azure?
azcopy works on unix, install it and upload your data
@@AdamMarczakYT thanks Adam, I will try it & share the feedback with you.
It was great, can I know how can we make connection between SQL server and data factory through key vault.
If I remember correctly it requires you to put connection string inside of Key Vault as a secret. Although my recommendation is to use managed identity. Thanks for watching.
docs.microsoft.com/en-us/azure/data-factory/connector-azure-sql-database-managed-instance
@@AdamMarczakYT I've already connected using password, and also with Integration runtime as you suggested docs. But I wanted to do same thing with key vault, in fact I did connection as you did in video. The connection between data factory and key vault had been created successfully. But at the time of connection between data factory and database , it is showing me an error while test connection between db and data factory. Also I checked with managed identity I got a same error test connection failed.
I might do SQL ADF with Managed identity in future. For now try as per documentation, I used this multiple times in several of my projects and it should work without any issues.
Gdzie okulary
Dopiero po nagraniu pomyslalem o miniaturce ;(
this is outdates
Hi Adam , I am facing while accessing stored keys . Error is “unable to Microsoft_key_vault extension “. Could you please help with possible issue that causing this ?
If you mean in Azure portal then try disabling adblock or clear cache