Skip to main content

Working with Azure Key Vault

Hands-On Lab

 

Photo of Shawn Johnson

Shawn Johnson

Azure Training Architect II in Content

Length

02:00:00

Difficulty

Intermediate

Azure Key Vault is a tool that allows IT personnel to securely store and access items such as API keys, passwords, access keys to Azure storage accounts, certificates, and more. Application developers can also reference the Key Vault in their code to access these secrets, as opposed to hard-coding them into their applications. In this lab, we will be creating an Azure Key Vault and reviewing the different components of the vault via the Azure Portal. We will also use the portal to store and retrieve a password. Finally, we will use the vault to store a local password for a Windows virtual machine and deploy the virtual machine using an ARM template. Instead of supplying the password in plaintext, we will have the template reference the secret in the Key Vault. Lessons Learned: - Create and configure Azure Key Vault - Interfacing with the Key Vault using Azure Portal - Use Azure Key Vault to pass a secure parameter value during deployment

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Working with Azure Key Vault

In this lab, we will be creating an Azure Key Vault and reviewing the different components of the vault via the Azure Portal. We will also use the portal to store and retrieve a password.

Finally, we will use the vault to store a local password for a Windows virtual machine and deploy the virtual machine using an ARM template. Instead of supplying the password in plaintext, we will have the template reference the secret in the Key Vault.

Log In

Click Open Azure Portal and log in with the credentials provided on the lab page. Note the Instant Terminal button as well, which we can use to log in to our virtual machine later.

Working with Azure Key Vault

Let's get started!

Configure Cloud Shell.

  1. Set up Cloud Shell by clicking the >_ Cloud Shell icon in the top-right hand corner of the screen.
  2. Select Bash.
  3. In the storage pop-up, click Show advanced settings.
    • Subscription: Leave as-is
    • Cloud Shell region: West US
    • Resource group: Use existing
    • Storage account: Use existing
    • File share: Create new
      • Name: cloudshell

Create an Azure Key Vault.

  1. In the Azure Portal, click on Resource Groups in the hub navigation menu. In the Resource Groups pane, click the resource group for the lab. In the lab resource group pane, click the blue + Add icon at the top of the screen.
  2. Search for and click on Key Vault.
  3. Click Create and use the following settings:
    • Name: Choose a unique name for your Key Vault. Using something like kv-XXXXX is recommended, where XXXXX represents the five character suffix of your lab resources. (See your storage account name for an example.)
    • Subscription: Leave as-is
    • Resource Group: Select existing lab resource group
    • Location: West US
    • Pricing Tier: Standard
    • Access Policies: Leave as-is
    • Virtual Network Access: Leave as-is
  4. Click Create.
  5. Once it's created, click Go to resource to view it.

Create a secret in the Key Vault for your VM password.

  1. Navigate to Secrets.
  2. Click Generate/Import, and configure the secret with the following settings:
    • Upload options: Manual
    • Name: Something unique, but memorable (e.g., "VMPass"), as we will reference this secret name later on.
    • Value: Again, something unique (e.g., "LA!2019Lab"). This will be used as the password to log in to our Linux VM later in the lab.
  3. Leave the rest of the settings as-is, and click Create.

Configure the Key Vault to be used by ARM templates and note the Key Vault resource ID.

  1. Navigate to Access policies.
  2. Click the Click to show advanced access policies link.
  3. Select the Enable access to Azure Resource Manager for template deployment checkbox.
  4. Click Save.
  5. Click Properties.
  6. Click the copy icon next to the resource ID to copy the value to the clipboard.
  7. Paste this value in a text file — we'll need it later on.

Create and download a virtual machine ARM template.

  1. Click the Virtual machines icon in the hub menu.

  2. Click + Add.

  3. Complete the configuration of the virtual machine with the following settings. NOTE: Do not create the VM.

    Basics

    • Project Details

    • Subscription: Leave as-is

    • Resource Group: Leave as-is

    • Instance Details

    • Virtual machine name: vm-XXXXX, where XXXXX represents the five-character suffix of the lab resources. (See the storage account name for an example.)

    • Region: West US

    • Availability options: No infrastructure redundancy required

    • Image: CentOS-based 7.5

    • Size: Standard B1ms

    • Administrator Account

    • Authentication Type: Password

    • Username: azureuser

    • Password: Use a default password that is different than the one you set as the Key Vault secret.

    • Confirm password: Repeat the password

    • Inbound port rules: Leave as-is

    Disks

    • Disk Options
    • OS disk type: Standard HDD
    • Leave everything else as-is

    Networking

    • Configure Virtual Networks
    • Virtual network: vnet-XXXXX, where XXXXX represents the five-character suffix of the lab resources. This should be the default.
    • Subnet: default (10.0.0.0/24).
    • Public IP: pip-XXXXX, where XXXXX represents the five-character suffix of the lab resources. We will have to select this value.
    • NIC network security group: None
    • Accelerated networking: Off
    • Load Balancing: Leave all settings as-is

    Management

    • Monitoring
    • Boot diagnostics: Off
    • Leave all other settings as-is
  4. Click Review + create.

  5. Click Download a template for automation.

  6. Click Download to save the .zip file to your local machine.

Extract the .zip file and modify the parameters.json file.

  1. Extract the .zip file.

  2. Open the parameters.json file in your local text editor.

  3. At the bottom of the file, locate the following section:

    "adminPassword": {
        "value": null
    }
  4. Replace it with the following:

    "adminPassword": {
        "reference": {
            "keyVault": {
                "id": "KeyVaultID"
            },
            "secretName": "KeyVaultSecret"
        }
    }
  5. Substitute your Key Vault resource ID (which should be saved in a text file from earlier) for KeyVaultID and your VM password secret for KeyVaultSecret.

  6. Your final code should look like the following:

    !["KeyVault ARM"]( https://raw.githubusercontent.com/linuxacademy/content-az-300-lab-repos/master/images/KeyVault.png "KeyVault ARM")

Upload the parameters.json and template.json files to the Azure storage account.

  1. In the portal, click the Storage accounts icon in the hub menu.
  2. Open your storage account (named saXXXXX)
  3. Click Files.
  4. Click the cloudshell file share.
  5. Click Upload.
  6. Upload your parameters.json and template.json files to the share.

Create your virtual machine using the ARM templates.

  1. Open Cloud Shell.

  2. Change to the clouddrive directory:

    cd clouddrive
  3. Run the following Azure CLI command:

    az group deployment create --resource-group "resource group" --template-file template.json --parameters parameters.json
  4. After the -–resource-group parameter name, press Tab twice to automatically complete the resource group name.

  5. Press Enter to execute the command.

  6. When the CLI output appears on the screen, check the Azure portal to confirm deployment of the VM.

Test logging on to the VM with your secret password.

  1. In the Azure portal, open the newly created virtual machine.
  2. In the Overview pane, click Connect.
  3. Copy the ssh string below Login using VM local account by clicking on the copy icon.
  4. Back on the lab page, click Instant Terminal.
  5. At the prompt, paste the clipboard value and press Enter.
  6. If prompted to continue connecting, enter y.
  7. At the password prompt, enter the value of your password secret (not the password you created when configuring the VM template).
  8. Press Enter.

Conclusion

Congratulations on completing this lab!