Practice Exams:
Home Blog AZ-204 Microsoft Azure Developer Associate – Implement Azure Security part 1

AZ-204 Microsoft Azure Developer Associate – Implement Azure Security part 1

  1. AZ-203/ 204 – What is the Azure Key Vault Service

Hi and welcome back. Now, in this chapter, I want to go ahead and talk about the Azure Keyword service. So the Azure Keyword service is basically a managed service in Azure, which is basically used to manage all of your secrets. So let’s say you want to securely store a database password somewhere you can actually go it and make use of the Azure Keyword service. So let’s say your application needs to connect to a database. So, remember, in order to connect to the database, it needs to use a username and a password. Now, you could embed the password within the application itself, but this is not a secure practice. Instead, you can make your application make a secure call onto the Azure Keywall service. The application could then fetch the password from the Azure Keywall service, and then it could go ahead and connect on to the database. So the keyword service is a secure place for storing all of your secrets. Now, in addition to storing secrets such as passwords, it could also go ahead and store encryption keys. So if you want to go ahead and have a place to store your keys that can be used to encrypt your data, you can make use of the Azure Keywall service. You can also go ahead and store your certificates as well. So instead of a company maintaining their own on premise server installing software on that server, just to go ahead and securely store, let’s say, their encryption keys and their certificates, they can store everything in the Azure Keyword service. This is a completely managed service. It’s a secure service. It’s a safe service that you can use for creating and managing all of your secrets. So let’s move on to the next set of chapters in which we are going to see how to work with the Azure Keyword service.

  1. AZ-203/ 204 – Lab – Azure Key Vault

So here I’m in zero. Now let me go ahead and add a new resource. So I’ll search for key vault. I’ll hit on create. I’ll go ahead and choose my subscription. I’ll choose a resource group. Let me give a vault name. So it needs to be unique. I’ll leave the region as East US. Only the pricing tier has standard. Now, if you want to ensure that you can recover your deleted objects. So let’s say someone accidentally deletes one of the objects in the Key Vault. If you enable soft delete, then you can go ahead and recover those deleted objects. So if you want, you can keep this as enabled. You can then specify a retention period. So if someone deletes it, how long do you want to retain that data for? So you can keep it as 90 days. I’ll leave the purge. Production has disabled. I’ll go onto next on to the access policy.

Now, I’m going to leave the settings as there. I’ll leave the networking hazardous. I’ll go on to Tags, go on to review and Create. And let me go ahead and create the Azure Keyword Resource. Now, once you have the resource in place, you can go out onto the resource. Now over here on the left hand side, so you can see that you can create keys, secrets and certificates, right? So in this chapter, just want to first go through the concept of creating an Azure Keyword Resource. Let’s go on to the subsequent chapters and see how to work with the different artifacts that are available in Key Vault.

  1. AZ-203/ 204 – What is a service principal

Hi and welcome back. Now in this chapter, I want to go through the concept of the service principle. Now has a user. So you can define a user in Azure ad. And using that user principle, you can actually go ahead. Once you authenticate yourself onto Azure ad, you can have them access onto resources such as the Azure SQL database, or the Azure Virtual Machine, or even the Azure Keyword Service. But let’s say you want to have an application that needs to go ahead and fetch, let’s say, a secret from the Azure Keyword Service. Since we’re actually going to go ahead into understanding how this can be achieved, it’s important to understand the basis of the service principle. So in your application, instead of embedding the username and password of a user principle, which is a bad security practice, instead you can go ahead and create a service principle in Azure.

So it’s like creating a user, but the only difference is that it’s basically a separate principle that can be given permissions and then assigned to the application. And then using that service principle, the application can then access the resources or access the objects in the Azure Keyword Service. And that’s what we are going to do. So when we go ahead and actually see how to allow an application to access, let’s say, a key or a secret in the Azure Keyword Service, we are all going to go ahead and create a service principle. We are going to ensure the service principal has the right permissions over either the key, the secrets, or the certificates in the Azure Key Vault service. And then we can go ahead and allow the application to actually access those resources in the Azure Key Vault. Right? So just a quick note on the service principle before we move forward.

  1. AZ-203/ 204 – Lab – Azure Key vault – Secrets

Hi and welcome back. Now in this chapter, I’m going to show you how you can make use of secrets in the as your keyword. So let’s go over onto our keyword. Now I’ll go on to secrets. So remember, if you want to store object, which is your database passwords in the Keyword service, you can go ahead and make use of secrets. Let me go ahead and generate a new secret. Let me give a name for the secret. I’ll enter the value of the secret. So I’ll just put a value of secret password. Now, you can also set an activation date and an expiration date for the secret. You can even do it for the key as well. So over here you can say that the key or the secret should only be used after the activation date and before the expiration date. You can also enable or disable the secret at any point in time.

You can also mark the secret as either enable or disable. So let me go ahead and ensure the secret is enabled. Let me hit on create. So let’s imagine that this is a password for a database. And let’s say now we need to have a program that first needs to go ahead and fetch the value of this DB password from the Azure Keywall Service. And then the application can go ahead and use a password to connect to a database. Now over here I have Visual Studio open. What I’m trying to do over here is I’m trying to go on to the Keyword, which you can do via the Key Vault URL. So if you go on to Key Vault, if you go on to Overview, over here is where you actually have your Key Vault URL. So let me go back on to the program.

So once I go on to the URL, I’m just using a class to go ahead and fetch secrets from the vault. I’ll mention what is the name of the secret which I need to fetch, and then I’ll display it onto the console. Now, this program needs some way of authorizing itself to go ahead and work with the Azure Key Vault service. And for that, we’re going to implement a couple of steps. So remember, I talked about that service principle. So that Service principle is something that we need to create. We need to ensure that Service principal will have access onto the Azure Key Vault. So first I’m going to go on to Azure. I’m going to go ahead and open azure cloud shell. Now over here I’m going to execute the following command. So over here, I’m executing command against a zero 80.

I’m ensuring that I create a service principle. Here I’m giving the name for the Service principle. I’m ensuring that rolebased access control is enabled for the Service principle. So let me go ahead and execute this command. So now we’ve gone ahead and got the Service principle. Now what’s important in the output is basically the application ID, what is the password and what is the tenant. Now there are multiple ways for your application to go ahead and use these particular values to go ahead and authenticate and start using the Azure Keyword service. But one way for a developer is to go ahead and basically change the environment variables. So I’m on a Windows machine, so let me go ahead and just set some environment variables.

So on my system, I’ve just gone ahead and set these three environment variables. So the Azure Client? ID. The Azure Client secret and the Azure Tenant? ID. So once you have this in place, now your Azure Client ID is basically mapped onto your application ID. It’s the same value. Then the client secret is basically the password over here. And your Azure Tenant ID is basically tenant value over here. So once you’ve gone ahead and set this, I’m going to make sure I restart Visual Studio so it will go ahead and take those values. So I’ve gone ahead and restart Visual Studio. Now we’ve gone ahead and created our service principle. Now we have to execute one more command, wherein now that service principle is basically given permissions onto the secrets.

So if I go on top, I’m basically giving or setting a policy for that key vault for that service principle. So remember, here is a service principal ID.And here I’m giving all the list of secrets, all the secret permissions. So to backup, to delete, to get, to list, and to set. So this is important. So first you go ahead and create your service principle. That service principal details are now part of the environment variables of the system on which the program is running. And now we are ensuring that we set a policy so that the service principal now has permissions onto your secrets.

Now let me go ahead and run the Visual Studio program. So when you run the program, you’re basically now getting the value of the secret, which is secret password. That’s what I said as the value of the DB password. So now your program is making a secure call onto the Azure Keyword service and getting the value of a secret. So this is the entire idea of having secrets in the Azure Keyword service. So just a quick review of what we did in our lab. So for our application, in order to access the secrets in the Azure Keywall service, we have to create something known as a service principle.

That service principle is basically created in Azure 80. So the application uses the service principle to authenticate onto Azure 80. And then we need to give that service principal permissions to go ahead and access secrets in the Azure Keyword service. So the permissions we have given our backup delete, get list and set. So once the application uses service principle and the service principal has been assigned these permissions, the application can then authenticate onto Azure Ad and would be authorized to go ahead and access the secrets in the Azure Keyword service. Right. So this marks the end of this chapter. You.

  1. AZ-203/ 204 – Lab – Azure Key vault – Encryption keys

And welcome back. Now in this chapter, let’s look at working with encryption keys in the Azure Keywall service. So, let’s say you want to generate or have a key that can be used to encrypt data. You can go ahead and create one in the Azure Keyword service. So you can go on to the service, go on to keys. Let’s go ahead and create a new encryption key. So let’s give a name. Here, you can mention what is the key type and what is the key size. So I’ll leave it as it is. Again, you can go ahead and mention the activation and the expiry date. So Alibaba has it is and let me go ahead and create the key in the Azure Key Vault service, right? So that’s done. Now over here, again, I have a Visual Studio program. So again, this program is making a request onto the Azure Key vault.

This time, I’m using the key client class to go ahead and get the new key from the key vault. I’m then using that key to go ahead and encrypt this sensor data. So I have a text over here, so this can be encrypted using that encryption key. I can then go ahead and again use the necessary classes to decrypt that encrypted text or that cipher text, and then go ahead and display what is the plain text. So remember, you can go ahead and store your encryption keys in the Azure Keyword service. You then use your own application or your own encryption methods or algorithms to ensure that you encrypt the data and then use the same encryption key for decrypting the data. Now, in order to ensure that this program runs, so remember, in the prior chapter, we had gone ahead and create a service principle.

We gave that permissions for the service principal for secrets in the Azure Keyword service. Now, here also, we have to perform the same operation. We have to ensure that we give permissions for our service principal for the encryption keys in our Azure Key vault. So I’ll go over onto Azure I’ll go over onto Azure. Cloud shell. I’ll hit on paste. So basically, what I’m doing over here is I am again setting the AZ Keyword. The policy. I’m giving the vault name. And then what I’m doing is that I’m giving the permissions of backup, delete, get list, create, encrypt, decrypt, and update. And again, I’m mentioning the same service principle. So let me go ahead and execute this.

So now that I’ve given the required permissions, if I go on to the program, let me run the program. So over here we’re getting the plain text, as this is sensitive data. So remember, this particular string, what we’ve done is that we have first encrypted the string using the encryption key, and then we’ve gone ahead and decrypted that particular text and displayed it to the console. So if you look at the review, again, the similar concept so we have our application. We have our service principle. We’ve given the permissions for the keys in the Azure Keywall service. So when the application needs to use an encryption key to go ahead and encrypt data, it will go ahead and use a service principle. It will authenticate onto Azure ad and then authorize itself to go ahead and use a key in the Azure Keyword Service. Right? So this marks the end of this chapter.

  1. AZ-203/ 204 – Lab – Permisisons vs RBAC

Hi and welcome back. Now in this chapter, I want to go through the key concept or the difference between permissions and rolebased access control when it comes to the Azure Keywall Service. So in the prior chapters, we had seen how we could work with secrets and how we could work with keys in the Azure Keywall Service. Now, when we had our application, which was going ahead and either fetching a secret or a key. So remember, first we registered an application in Azure ad or a service principal. And for that service principle, we ensure that the service principal had the right permissions whenever it came to working with secrets or keys in the Azure Keyword Service. So the first thing from this you have to understand is that in order to access any of these artifacts, so whether it be an encryption key, whether it be a certificate, or whether it be a secret, you need to ensure that you have the right permissions in place for these particular resources.

So for example, if you’re looking at encryption keys, a user or an application or a service principal needs to have permissions. So for example, you could give the permissions to create an encryption key or to encrypt and perform the decrypt operations using the encryption key. Similarly, for a certificate, you could give the permission to go ahead and create a certificate. And for secrets, you could go ahead and give the permissions to either set the value of a secret or to list the secrets or to get the value of a particular secret. So remember, permissions are important. You have to give permissions to the resources in your Azure Key vault. Now next we come to rolebased access control. Now, role based access control is given at the control plane that’s at the Azure Key Vault level, not at the encryption key or the certificate or the secret level.

So for that, you have the permissions. So role based access control is given at the keyword level, the Azure Keyword level. So for example, one of the roles that you can actually give to users is the keyword contributor. So this lets you manage the key vault, the various aspects of the key vault, but it does not give you access to the data itself in the key vault. So I said to give access to the data in the key vault, you have to look at giving permissions. Now let me go on to Asia just to show you both of these aspects. So if I go on to our existing keyword so remember, in this keyword we had ensure that we worked with keys and with secrets. Now, if I go on to access policies over here, you can see that we have two access policies in place.

So these access policies are given for an application and for a particular user. So this is basically our global administrator. Now over here, if I just scroll on to the right. So here you can see that you can give permissions for your keys, your secrets and your certificates if I go on to any of the permissions. So in the key permissions, these are all the permissions that are available. So if you want a user or an application to perform different operation on the keys that are available in the Azure Keyword service, then you have to ensure that you give the right permissions. Similarly, when it comes to the secrets, the same case. So over here you have the permissions which are available for a secret and then you have the permissions which are available for a certificate.

Let’s say if you want to give another user access onto or permissions onto either keys or secrets, you could go ahead and add an access policy. So first you could go ahead and select the principal. So let’s say I want to give a user user a let me click on select. So I have selected my principal. Now, the principal could be either a user principal or it could be a service principal. Then you can go ahead and give the required permissions. So let’s say that you want to ensure that this user can go ahead and get the values of secrets in the Azure Keyword, or to list the secrets and to set the value of secrets in the Azure Keyword service. So you can go ahead and select these permissions. You can then scroll down, click on Add, and then very important, it even mentions it over here. Please ensure to click the Save button to go ahead and commit your changes.

So go ahead and click on Save. So once you’ve done that, you now have the three principles in place over here which have different access or permissions onto either keys, secrets or certificates in the Azure Key Vault. And then we have our normal role based access control. So if you go on to access control if I click on role assignment So again over here, you can go ahead and select the different roles. So I said if you want users to go ahead and manage the different aspects of the keyword, you can go ahead and select the Keyword Contributor role, go ahead and select the user and that’s it. So this is at the control plane just to manage the keyword vault itself. It is not used to manage the data in the key vault itself. So these are the two different aspects when it comes to access control for Azure Key Vault. So this marks the end of this chapter.

Related Posts