As a cloud administrator, you are responsible for managing sensitive information such as usernames, passwords, and other secrets that are required to run your virtual machines (VMs) in the cloud. Storing this information in plain text within your VM configurations or code can pose a significant security risk. Storing this information in a local or network-based password database could be a solution but poses a risk when employees are leaving with a copy. Instead, Azure Key Vault provides a secure and centralized location for storing and managing these sensitive secrets
What is Azure Key Vault?
How to Create an Azure Key Vault
To create an Azure Key Vault, you will first need to have an Azure subscription. If you don’t already have one, you can sign up for a free trial subscription here. Once you have an Azure subscription, you can create a Key Vault using the Azure portal or using Azure PowerShell.
Creating an Azure Key Vault using the Azure Portal
- Open the Azure portal and sign in with your Azure account credentials.
- In the left-hand menu, click on Create a resource.
- Search for Key Vault in the search bar and select it from the results.
- Click Create to begin the Key Vault creation process.
- Fill in the required fields, such as the subscription, resource group, and Key Vault name.
- Select your desired pricing tier and configure any other advanced settings as needed.
- Click Review + create to review your Key Vault settings and create the resource.
Creating an Azure Key Vault using Azure PowerShell
- Open Azure PowerShell on your local machine or in the Azure Cloud Shell.
- Run the following command to sign in to your Azure account:
- Run the following command to create a new resource group:
New-AzResourceGroup -Name “rg-kv-infra” -Location “westeurope”
- Run the following command to create a new Key Vault in the specified resource group:
New-AzKeyVault -VaultName “kv-infra-vms” -ResourceGroupName “rg-kv-infra” -Location “westeurope” -EnabledForDeployment $true
Storing Credentials in Azure Key Vault
Once you have created your Azure Key Vault, you can begin storing your sensitive credentials such as usernames and passwords. To do this, follow these steps:
- Open your Azure Key Vault in the Azure portal.
- Click on Secrets in the left-hand menu.
- Click Generate/Import to add a new secret to your Key Vault.
- Select Manual for the Upload Options
- Enter a name and value for your secret, and click Create.
- Your new secret will be listed in the Secrets tab. You can click on it to view the details, including the version number and creation date.
Retrieving Credentials from Azure Key Vault
Now that you have stored your credentials in Azure Key Vault, you can retrieve them securely and use them within your VM configurations.
Using Azure PowerShell to Retrieve Credentials
Here’s an example of how to retrieve a secret from your Azure Key Vault using Azure PowerShell:
$secret = Get-AzKeyVaultSecret -VaultName “kv-infra-vms” -Name “credential01”
Using Azure VM Extensions to Retrieve Credentials
Another way to retrieve credentials from Azure Key Vault is to use Azure VM extensions. Azure VM extensions allow you to run scripts and other code on your VMs to perform various tasks, such as installing software or configuring settings.
To use Azure VM extensions to retrieve credentials from Azure Key Vault, you can use the Azure Key Vault VM extension (available for both Windows and Linux VMs). This extension enables you to securely retrieve secrets from Azure Key Vault during VM provisioning or runtime.
Here are the high-level steps to use the Azure Key Vault VM extension:
- Create an Azure VM and configure the VM with the Azure Key Vault VM extension. You can do this using Azure PowerShell or the Azure portal.
- Create a Key Vault access policy to grant the VM access to the secrets it needs.
- Create a script or application that retrieves the secrets from the Key Vault and uses them in your application or configuration.
Here’s an example PowerShell script that uses the Azure Key Vault VM extension to retrieve a secret from Azure Key Vault and save it to a file:
$KVSecret = Get-AzKeyVaultSecret -VaultName “kv-infra-vms” -Name “credential01”
$KVSecretValue = $KVSecret.SecretValueText
You can use the $KVSecretValue anyway you like in your code.
Azure Key Vault provides a secure and centralized location for storing and managing these sensitive secrets and enables you to securely retrieve them for use in your cloud applications and services. By following the steps outlined in this blog post, you are able to use Azure Key Vaults to store credentials for VMs and use those credentials securely within your VM configurations