IMPLEMENT AZURE SECURE CLOUD SOLUTIONS
Cloud computing gives entities and companies access to many incredible supports. Such as next-level data security and customer service through enhanced data gathering and storage, rapid scalability, convenience through interconnected systems with fast file and data sharing and so on.
Today we learn how to access Azure Secret in Azure by using Azure Key Vault, Managed Identities with assistance from Azure Function. We will first discuss the Azure Key Vault and managed identity for our foundational understanding. Then we will start the demonstration by explaining how we can add them into action.
Azure Key Vault
Key Vault provides centralized storage for applications and supports storing software and HSM — backed keys, Secrets, and Certificates.
Explore Azure Key Vault
Azure Key Vault is a cloud service for securely storing and accessing secrets.
Ex: API keys, passwords, certificates, or cryptographic keys.
Key Vault service supports containers such as Vault & Managed HSM pools
Why do we need an Azure Key Vault?
Secrets Management — Azure Key Vault can be used to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
Key Management — Azure Key Vault can be used as a Key Management Solution. Key Vault makes it easy to create & control the encryption keys used to encrypt your data.
Certificate Management — Azure Key Vault is also a service that lets you easily provision, manage and deploy public and private secure sockets layer/transport layer security (SSL/TSL) certificates for use with Azure and your internal connected resources.
Key Vault Authentication
Managed identities for Azure resources — When you deploy an app on a VM in azure, you can assign an identity to your VM that has access to the Key Vault. You can also assign identities to other Azure resources. The benefit of this approach is that the app or service is not managing the rotation of the first secret, Azure automatically rotates the secure principal client secret associated with the identity. This is the recommended approach.
Service principal and certificate — Use a Service Principal & associated certificate that has access to Key Vault. This is not a recommended approach as the application or the developer is required to rotate the certificate.
Service principal and secret — Use a Service Principal & Secret to authenticate to Key Vault. This is also not a recommended way, because it’s hard to automatically rotate the bootstrap secret that’s used to authenticate to the Key Vault.
Key Vault Encryption
Azure Key Vault enforces TLS protocol to protect data when it’s traveling between Azure Key Vault & client.
Client negotiates a TLS connection with Azure Key Vault and TLS provides strong authentication, message privacy and integrity, interoperability, algorithm, flexibility, and ease of deployment and use.
Perfect forward secrecy (PFS) protects the connection between customers’ client systems and Microsoft cloud services by unique keys.
The connection also uses RSA-based 2048-bit encryption key length. This combination makes it difficult for someone to intercept and access data that is in transit.
Authenticate to Azure Key Vault
· Key Vault authentication works with Azure Active Directory.
· Azure Active Directory is responsible for authenticating the identity of any given security principal.
Two ways to obtain service principal
1. Managed Identity
2. Register the application with your Azure AD tenant
Note — System Assigned Managed Identity is recommended to use
Authentication to Key Vault in application code
· By using the Key Vault SDK can avoid using the managed identity
· This allows seamless authentication to Key Vault across environments with the same code.
· Azure identity client libraries for different frameworks/languages are added below
Azure Key Vault best practices
Use separate Key Vaults — Recommended way to use a Vault per application per environment such as (Development, Pre-Production & Production). This helps you not share secrets across environments & also reduces the threats in case of a breach.
Control access to your vault — Key Vault data is sensitive & business critical, you need to secure access to your Key Vault by allowing only authorized applications & users.
Backup — Create regular backups of your vault. On Update/Delete/Create of objects within a vault.
Logging — Be sure to turn on logging & alerts.
Recovery options — Turn on soft-delete & purge protection if you want to guard against deletion of the Secret.
Key benefits
· Centralized application secrets
· Securely store secrets and keys
· Monitor access and use
· Simplified administration of application secrets
Managed Identities
A common challenge for developers is the management of secrets of credentials used secure communication between different components making up a solution and Managed Identity provides an identity for applications to use when connecting to resources that support Azure Active Directive (Azure AD) authentication.
Managed Identities for Azure resources eliminate credential management for Azure customers platform manages the credentials.
Managed Identities are assigned to the “Source” Azure Resources. They can be used to access any “Target” service that supports Azure AD Authentication.
For example, An application may use a managed identity to access resources like Azure Key Vault where developers can store credentials in a secure manner or access a storage account. Azure provides two types of managed identities.
System-Assigned Managed Identity
Some Azure Services allow you to enable a managed identity directly on a service instance. When you enable a System-Assigned-Managed Identity an identity is created in Azure AD. The identity tied to the lifecycle of service instance when the resources is deleted azure automatically deletes the identity for you.
User-Assigned Managed Identity
Create a managed identity as a standalone azure, you can create a user-assigned-managed identity and assigned it to on or more instances of an azure service. For user-assigned-managed identities. The identity is managed separately from the resources that use it.
Explore use of Managed Identities
For an understanding of the actual use of managed identity, see the diagram and explanation below.
The diagram illustrates listed VM (1,2,3,4) is using the User-Assigned-Managed identity, which can be used across multiple Azure resources. The User-Assigned-Managed identity currently enables Storage Account 1 and Key Vault 1 to the VM (1, 2, 3, 4) and it acts as a shared identity among all VM.
The System-Assigned-Managed identity is only enabled in VM4 and access is given to Storage Account1 and Key Vault 2. As we know the System-Assigned-Managed identity is tightly coupled with Azure resources so it cannot be used as shared between other VMs.
Characteristics of Managed Identities
When to use managed identities
Managed identities can be used for an application by using Azure App Services that access Azure Storage without having any credentials.
Note: Managed Identities for Azure resources can be used to authenticate to services that support Azure AD Authentication.
How it works
The above workflow simply explains how the Azure Managed Identity works with Azure AD, VM, and Azure Key Vault.
Demo Overview
Create Azure Key Vault and Add Secret
Go to Azure portal -> Type “Key Vault” search -> click the “Create” button.
Provide necessary information and click-> “Review + Create” button
Click -> “Create” button. Finally, you will have the Azure Key Vault under the selected Resource Group.
Go to created Key Vault -> on the left menu click -> “Secrets”
Click-> “Generate/Import” button, it redirects to another window with name and value
Click-> “Create”. Now you can see a newly created secret under Azure Key Vault.
Click-> the “Secret” will list you by version, select the current version.
The image displays the value of the secret by clicking -> “Show Secret Value”. In my case, it is “pass#word1”
Create Manage Identity
Go to Azure portal -> Type “Managed Identities” search -> click “Create” button
Provide the necessary information then click -> “Review + Create” button.
Click-> “Create” button. Finally, you will have the User-Assigned-Managed identity under the Resource Group.
The above image displays created User-Assigned-Managed Identity.
Create Azure Function
Go to Azure portal -> Type “Function App” search -> click the “Create” button.
Provide necessary information -> click -> “Review + Create” button.
Click -> “Create” button. Finally, you will have the Azure Function App under the Resource Group.
InIn the Azure Function App click -> “Functions” from the menu item.
Click the “Create” button.
A function window will appear -> select “HTTP trigger” -> click “Create” button. The Azure HTTP trigger will be created.
So far, we have created the Azure Key Vault with Azure Secret, User-Assigned-Managed Identity and Azure Function App with Azure Http trigger.
Using an Azure HTTP Trigger, attempt to access the Azure Key Vault secret value locally as well as in the deployed environment. For this demonstration the Visual Code IDE is used.
using System;
using System.IO;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Extensions.Http;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Logging;
using Newtonsoft.Json;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using Azure.Core;
namespace Company.Function
{
public static class HttpTrigger1
{
[FunctionName("HttpTrigger1")]
public static async Task<IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,
ILogger log)
{
try {
string secretName = "demosecret"; // Replace your secret name
var kvUri = "https://secure-cloud-key-vault.vault.azure.net/";// Replace your Key Vault URI
var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential(new DefaultAzureCredentialOptions(){ManagedIdentityClientId="24b8d4bb-065a-4581-bebe-c08bb044ba5c"}));
KeyVaultSecret secret = client.GetSecret(secretName);
return new OkObjectResult("This is a secret key from Azure Key Vault: "+secret.Value);
}
catch(Exception ex)
{
return new OkObjectResult(ex.Message);
}
}
}
}The image has a small code segment which is used to get access on the Azure.
Using Azure Key Vault Uri & Secret name can get the Azure secret value.
string secretName = "demosecret"; // Replace your secret name
var kvUri = "https://secure-cloud-key-vault.vault.azure.net/";// Replace your Key Vault URI
Above image shows the Vault URI. kvUri=” https://secure-cloud-key-vault.vault.azure.net/”
This image shows the Azure Key Vault Secret name. secretName=” demosecret”.
In the code I mentioned “secretName” and Key Vault URI “kvUri” to access the Key Vault Secret via Azure Function (HTTP Trigger).
Connections between Azure Key Vault and the
application (HTTP-triggered functions) can be initiated using the Azure.Security.KeyVault.Secrets library. To pass default credentials, you need to install the Azure.Identity SDK.
Note: Use following link to add to the SSproject https://www.nuget.org/packages/Azure.Identity
DeafaultAzureCredential provides a default token credential authentication flow to the application which will be tried following credentials such as Environment Credential, Managed Identity Credential, Shared token cache Credential, Visual Studio Credential, Visual Studio Code Credential, Azure CLI Credential, Azure Power Shell Credential and Interactive Brower Credential.
For this Http Trigger function, I have added User-Assigned-Managed identity to support the Azure AD.
Added following Managed Identity Client Id to the application.
var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential(new DefaultAzureCredentialOptions(){ManagedIdentityClientId="24b8d4bb-065a-4581-bebe-c08bb044ba5c"}));
The image shows Client ID where you can get it from.
By using the “GetSecret” method and passing the “secretName”, will return you the secret name.
KeyVaultSecret secret = clientyt.GetSecret(secretName);So far, we have completed the development to run and retrieve the Azure Secret Value. You must follow the steps below.
Select-> “Identity” from menu item.
This image shows how to select and add a user-assigned managed identity.
A pop-up window labeled Add User Managed Identity will appear, allowing you to add the User-Assigned-Managed identity you created. In my case, the User-Assigned-Managed identity is Secure-Cloud-User-Assigned-Managed-Identity.
After successfully adding a User-Assigned-Managed identity to your Azure Function, your Azure Key Vault needs an access policy to work with your Azure Function.
The following steps show how to add an access policy to your Azure Key Vault.
Click-> “Access Policies” from the menu item Click-> create button
Select-> Get from secret permissions. Click-> next.
Search-> “secure-cloud-user-assigned-managed-identity” and click-> next
Click-> “Create” to add a user-assigned managed identity to your Azure Key Vault access policy.
So far, we’ve added all the configuration to our Azure Function and Azure Key Vault. The application is now ready to return the Azure secret value without providing credentials.
In my case, the secret is “pass#word1”. Press F5 to run the function and see how it works.
The result above is a simple JSON representation of the secret value from the added key vault. This allows you to access your key vault using a user-assigned managed identity. Deploy to Azure without code changes. The code works as expected..
Summary
We hope this blog helped you to understand more about Azure Key Vaults, Managed Identities, and Azure Functions. The main purpose of this blog is to give you a working knowledge and provide a workable Azure feature connected to Azure Key Vault and Azure Managed Identities. Secure cloud computing is a trend and a growing credibility across all industries. There are several other resources available for reading and learning about secure cloud computing. Please follow the official page of Azure.
