6 ways organizations can support employee mental health and well-being
Keeping people engaged and satisfied with their work helps organizations build a sense of belonging and create a welcomi...
Making a project is easy, but securing it is not as simple as ABC. Almost everyone has checked-in database or service account password to version control system like Git. In today’s world, the Internet does not help you – it can even make your problem more complex. Just open GitHub and type „password” in the search box – you will find plenty of accidentally left checked-in credentials. We can minimize the risk of checking-in the password simply by using the Azure Key Vault. How to do this? Just read my article and I will tell you the secret.
Azure Key Vault is a cloud-based service offering you a secret, certificate management, cryptographic operations and even more. In this article, I am going to tell you mainly about secret management, which is a great feature for app credentials storage.
Adding new secrets in Azure Key Vault is a really simple task. To add it, select „Secrets” from the left navigation pane and click “Generate”. The service stores key-value pairs, so each entry must have a unique name. Optionally, we can set the secret expiration time and add custom metadata.
In the Azure portal, you can also list added secrets – if you have permission for it. This issue will be covered in the next section.
All actions I have mentioned below are also available by REST API, SDK, Azure CLI, and PowerShell.
When you use Azure Key Vault you can delegate permissions to specific operations, like getting, listing, updating secret etc. It is incredibly important to reduce permissions which should not be used. For instance, if your app will only need to read secrets, it should not have permission to update the secret.
These policies can be delegated to the user, Azure Active Directory registered application or Managed Service Identity (MSI).
As an example, I will integrate the Azure-hosted ASP.NET website with Azure Key Vault. To authenticate with the service, we need to select one of two possible options:
As you see, reading the configuration from Azure Key Vault is not much more difficult than getting it from the local configuration.
If you select the first approach, the only difference is passing as parameter function for getting token issues for ClientId/ClientSecret.
Using Azure Key Vault in PowerShell is even easier than in application.
Yes. That’s all – only one line of the code. One line, which makes your password secure. The only thing you need to do is logging in PowerShell session to Azure and installing AzureRM.KeyVault cmd-let.
Using Azure CLI looks quite similar:
If you use Azure Resource Manager (ARM) templates and you want to migrate from passing credentials as parameters, the change is extremely easy. You don’t even need to change the line of your app’s code!
The changes are only related to ARM template parameters file. You need to change the parameter value from text to the Azure Key Vault reference. Migration depends on changing the value from this:
After changing the ARM templates please ensure, that you have the newest version of secrets stored in Azure Key Vault and deploy the template. Azure will automatically load references to secrets and apply them during the deployment.
Before running the deployment make sure that Azure Resource Manager has permissions to access Key Vault for the template deployment. In order to check it go to Access Policies section and check the checkbox from the below screenshot:
We use Azure Key Vault in these areas and even more:
I encourage you to check the current pricing of the service. While I was writing this article (3.10.2018) it was about 0.03USD per 1000 requests. When you pay 1USD/month you can invoke the service about 46 requests per every minute during the month (assuming that month has 720 hours). It is a really small expenditure that may save lots of fear and anxiety.
Azure Key Vault is quite a small service, which has one incredibly crucial feature – keep your secrets, keys, and certificates safe. If you can accept latency of invoking external service compared to reading local configuration, then I strongly encourage you to try this service.
Read other similar articles