Azure key vault

satya - 11/16/2019, 10:02:08 AM

Azure key vault documentation is here

satya - 11/16/2019, 10:03:21 AM

Here is the learning path for azure key vault

These learning paths are usually good

satya - 11/16/2019, 10:57:59 AM

Intro

Azure Key Vault's API uses Azure Active Directory to authenticate users and applications

Three actions: Get, Set, List

Permissions to these actions are across the vault, no smaller granularity

For apps, often only Get permissions are required.

Good practice is to create a separate vault for each deployment environment of each of your applications, such as development, test, and production

If you use the same names for secrets across different environments for an application, the only environment-specific configuration that has to change in your app is the vault URL.

Vault names must be globally unique, so you'll need to pick a unique name. Vault names must be 3-24 characters long and contain only alphanumeric characters and dashes

Apps and users authenticate to Key Vault using an Azure Active Directory authentication token

When you enable managed identity on your web app, Azure activates a separate token-granting REST service specifically for use by your app. Your app will request tokens from this service instead of directly from Azure Active Directory. Your app needs to use a secret to access this service, but that secret is injected into your app's environment variables by App Service when it starts up. You don't need to manage or store this secret value anywhere, and nothing outside of your app can access this secret or the managed identity token service endpoint.

satya - 11/16/2019, 11:08:49 AM

The way it works for a webapp is this

1. When you enable managed identity on your web app, Azure activates a separate token-granting REST service specifically for use by your app.

2. Your app will request tokens from this service instead of directly from Azure Active Directory.

3. Your app needs to use a secret to access this service, but that secret is injected into your app's environment variables by App Service when it starts up.

4. You don't need to manage or store this secret value anywhere, and nothing outside of your app can access this secret or the managed identity token service endpoint.

satya - 11/16/2019, 11:37:22 AM

Managed identity for data factory is documented here

satya - 11/19/2019, 10:20:51 AM

Documentation: Provide Key Vault authentication with a managed identity

I am hoping to find here to learn about setting a policy for the vault where it can allow a managed identity principal (like a data factory) to read from the vault

The policy screen is very confusing on its own. Hoping this document will shed light

satya - 11/19/2019, 10:32:36 AM

The above document does show how to add read permission for a resource to the vault

1. See section called Grant your app access to Key Vault

2. Meaningful drop downs are a) Select permissions (get, list) b) select prinicipal

3. Select principal will open a search panel to the right: I have entered the beginning string of the data factory resource name. It picked it up

satya - 11/19/2019, 10:33:25 AM

Options for Access policies screen in azure key vault

Search for: Options for Access policies screen in azure key vault

satya - 11/20/2019, 11:25:27 AM

Security recommendations for azure key vault

satya - 11/21/2019, 10:28:36 AM

what is the difference between keys and secrets in Azure key vault?

Search for: what is the difference between keys and secrets in Azure key vault?

satya - 11/21/2019, 11:06:19 AM

So finally, how to access an azure function through the key vault

1. Create a key vault

2. Locate the data factory name that is going to be accessing the key vault in order invoke a function.

3. Add a policy to the key vault using: a) Select permissions (get, list) b) select prinicipal (you will use the data factory name here to locate the data factory). make sure you click the "save" button.

4. Locate your pipeline where you have a function activity

5. Function activity points to a linked service that connects you to the function app

6. it is in this linked service you need to spec a function key. Instead you point to the key vault

7. Key vault also needs a linked service (no surprises here in setting this up as you don't need to provide any access control passwords)

8. Meanwhile, you have to locate the function key by going to the function app and locating your function and locating the "manage" option under that function and copying the necessary function or master keys. Your app must be running to locate these keys. (I am yet to fully understand the difference between master and host keys)

9. then go to the key vault and and put that key as a "secret" with a name

10. Now come back to the function app linked service and specify this secret as the key to the vault.

11. the key vault does not prompt you to the existing secret names. would have been nice if it did. so you have to remember what name you have given it to the secret and type that in

12. Then save and publish it and use debug to see if your app is called

13. It did in my case

satya - 11/21/2019, 11:11:38 AM

Here is an example of that function app linked service


{
    "name": "Satya_fapp_01_getDirectoryName",
    "properties": {
        "description": "Satya_fapp_01_getDirectoryName",
        "annotations": [
            "Satya",
            "usage_individual"
        ],
        "type": "AzureFunction",
        "typeProperties": {
            "functionAppUrl": "https://fapp-01-satya.azurewebsites.net",

            "functionKey": {
                "type": "AzureKeyVaultSecret",
                "store": {
                    "referenceName": "ls_test_AzureKeyVault",
                    "type": "LinkedServiceReference"
                },
                "secretName": "satya-fapp-01-mster-key"
            }

        }
    },
    "type": "Microsoft.DataFactory/factories/linkedservices"
}

satya - 11/21/2019, 11:13:46 AM

Here is the pipeline with a single function app activity


{
    "name": "pl_test_af_keys_in_vault",
    "properties": {
        "description": "Call an azure function. 
              Get a directory name. 
              Test that the keys can be taken from the vault",
        "activities": [
            {
                "name": "Azure Function1",
                "type": "AzureFunctionActivity",
                "dependsOn": [],
                "policy": {
                    "timeout": "7.00:00:00",
                    "retry": 0,
                    "retryIntervalInSeconds": 30,
                    "secureOutput": false,
                    "secureInput": false
                },
                "userProperties": [],
                "typeProperties": {
                    "functionName": "SatyaFapp01HttpTrigger",
                    "method": "POST",
                    "body": {
                        "value": "{\n   \"name\": \"satya\"\n}",
                        "type": "Expression"
                    }
                },
                "linkedServiceName": {
                    "referenceName": "Satya_fapp_01_getDirectoryName",
                    "type": "LinkedServiceReference"
                }
            }
        ],
        "annotations": [
            "satya"
        ]
    },
    "type": "Microsoft.DataFactory/factories/pipelines"
}

satya - 11/22/2019, 11:45:41 AM

Summarizing securing Function Apps with Azure Vault - Figure 1

satya - 11/22/2019, 11:47:48 AM

Same image: Different view: Summarizing securing Function Apps with Azure Vault - Figure 2