20535A_LAB_AK_09.md

Module 9: Managing Security and Identity for Azure Solutions

Lab Answer Key: Deploying Services to Secure Secrets in Azure

Before we start

1. Ensure that you are logged in to your Windows 10 Virtual Machine using the following credentials:

   • Username: Admin

   • Password: Pa55w.rd

2. Observe the Taskbar located at the bottom of your Windows 10 desktop. The Taskbar contains the icons for the common applications we will use in the labs:

   • Microsoft Edge

   • File Explorer

   • Visual Studio Code

   • Microsoft Azure Storage Explorer

   • Bash on Ubuntu on Windows

   • Windows PowerShell

   • Microsoft Word 2016

   Note: You can also find shortcuts to these applications on the Desktop and in the Start Menu.

Exercise 1: Deploy Key Vault Resources

Task 1: Open the Azure Portal

1. On the Taskbar, click the Microsoft Edge icon.

2. In the open browser window, navigate to the Azure Portal (https://portal.azure.com).

3. Enter the email address of your Microsoft account.

4. Click the Next button.

5. Enter the password for your Microsoft account.

6. Click the Sign in button.

Task 2: Deploy Key Vault

1. On the left side of the portal, click the Create a resource link.

2. At the top of the New blade, locate the Search the Marketplace field.

3. Enter the text Key Vault into the search field and press Enter.

4. In the Everything search results blade, select the Key Vault result.

5. In the Key Vault blade, click the Create button.

6. In the Create key vault blade, perform the following actions:

   a. In the Name field, enter a globally unique value. Record the name of this Key Vault instance as you will need to reference it later in this lab.

   a. Leave the Subscription field set to its default value.

   a. In the Resource group section, select the Create new option.

   a. In the Resource group section, enter the value MOD09KVST into the empty field..

   a. In the Location field, select the East US location.

   a. Click the Create button.

7. Wait for the creation task to complete before moving on with this lab.

Task 3: Add a Secret to the Key Vault using the Portal

1. On the left side of the portal, click the Resource groups link.

2. In the Resource groups blade, locate and select the MOD09KVST Resource Group link.

3. In the MOD09KVST blade, select the Key Vault you recently created.

4. In the Key vault blade, locate the Settings section on the left of the blade and click the Secrets link.

5. In the Secrets pane, click the Generate/Import button at the top of the pane.

6. In the Create a secret blade, perform the following actions:

   a. In the Upload options list, select the Manual option.

   a. In the Name field, enter the value thirdPartyKey.

   a. In the Value field, enter the value 56d95961e597ed0f04b76e58.

   a. Leave all other fields set to their default values.

   a. Click the Create button.

7. Wait for the secret creation task to complete before moving on with this lab.

Task 4: Add a Secret to the Key Vault using the CLI

1. At the top of the portal, click the Cloud Shell icon to open a new shell instance.

2. In the Cloud Shell command prompt at the bottom of the portal, type in the following command, replace the [name of vault] placeholder with the name of your Key Vault instance, and then press Enter to list all resource groups in the subscription:

   az keyvault secret list --vault-name [name of vault]
   

   Make sure you replace the [name of vault] placeholder with the actual name of your Key Vault instance. For example, if the name of your instance is examplekeyvault, your command will look like this:

   az keyvault secret list --vault-name examplekeyvault
   

3. Type in the following command to download a secret as a text file saved on your clouddrive instance:

   az keyvault secret download --vault-name [name of vault] --file clouddrive/secret.txt --name thirdPartyKey
   

   Make sure you replace the [name of vault] placeholder with the actual name of your Key Vault instance. For example, if the name of your instance is examplekeyvault, your command will look like this:

   az keyvault secret download --vault-name examplekeyvault --file clouddrive/secret.txt --name thirdPartyKey
   

4. Type in the following command to view the contents of the saved file:

   cat clouddrive/secret.txt
   

5. Type in the following command to create a new secret in your key vault:

   az keyvault secret set --vault-name [name of vault] --name firstPartyKey --value 56f8a55119845511c81de488
   

   Make sure you replace the [name of vault] placeholder with the actual name of your Key Vault instance. For example, if the name of your instance is examplekeyvault, your command will look like this:

   az keyvault secret set --vault-name examplekeyvault --name firstPartyKey --value 56f8a55119845511c81de488
   

6. Type in the following command to

   az keyvault secret list --vault-name [name of vault] --query "[*].{Id:id,Created:attributes.created}" --out table
   

   Make sure you replace the [name of vault] placeholder with the actual name of your Key Vault instance. For example, if the name of your instance is examplekeyvault, your command will look like this:

   az keyvault secret list --vault-name examplekeyvault --query "[*].{Id:id,Created:attributes.created}" --out table
   

7. Close the Cloud Shell prompt at the bottom of the portal.

Task 5: Add a Secret to the Key Vault using ARM

1. On the left side of the portal, click the New link.

2. At the top of the New blade, locate the Search the Marketplace field.

3. Enter the text Template Deployment into the search field and press Enter.

4. In the Everything search results blade, select the Template deployment result.

5. In the Template deployment blade, click the Create button.

6. In the Custom deployment blade, click the Build your own template in the editor link.

7. In the Edit template blade, locate the text editor and delete the existing template content.

8. Copy and paste the following ARM template into the template editor:

   {
       "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
       "contentVersion": "1.0.0.0",
       "parameters": {
           "vaultName": {
               "type": "string"
           }
       },
       "variables": {
           "secretName": "vmPassword"
       },
       "resources": [
           {
               "apiVersion": "2015-06-01",
               "type": "Microsoft.KeyVault/vaults/secrets",
               "name": "[concat(parameters('vaultName'), '/', variables('secretName'))]",
               "properties": {
                   "contentType": "text/plain",
                   "value": "StudentPa$$w.rd"
               }
           }
       ]
   }
   

9. Click the Save button to persist the template.

10. Back in the Custom deployment blade, perform the following actions:

    a. Leave the Subscription field set to it's default value.

    a. In the Resource group section, select the Use existing option.

    a. In the Resource group section, locate the dropdown list and select the MOD09KVST option.

    a. In the Vault Name field, enter the name of your Key Vault instance that you recorded earlier in this lab.

    a. In the Terms and Conditions section, select the I agree to the terms and conditions stated above checkbox.

    a. Click the Purchase button.

11. Wait for the creation task to complete before moving on with this lab.

12. On the left side of the portal, click the New link.

13. At the top of the New blade, locate the Search the Marketplace field.

14. Enter the text Template Deployment into the search field and press Enter.

15. In the Everything search results blade, select the Template deployment result.

16. In the Template deployment blade, click the Create button.

17. In the Custom deployment blade, click the Build your own template in the editor link.

18. In the Edit template blade, locate the text editor and delete the existing template content.

19. Copy and paste the following ARM template into the template editor:

    {
        "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
        "contentVersion": "1.0.0.0",
        "parameters": {
            "vaultName": {
                "type": "string"
            }
        },
        "variables": {
            "secretName": "storageConnectionString",
            "storageName": "[concat('stor', uniqueString(resourceGroup().id))]"
        },
        "resources": [
            {
                "apiVersion": "2017-10-01",
                "type": "Microsoft.Storage/storageAccounts",
                "name": "[variables('storageName')]",
                "location": "[resourceGroup().location]",
                "kind": "Storage",
                "sku": {
                    "name": "Standard_LRS"
                },
                "properties": {                
                }
            },
            {
                "apiVersion": "2015-06-01",
                "type": "Microsoft.KeyVault/vaults/secrets",
                "name": "[concat(parameters('vaultName'), '/', variables('secretName'))]",
                "dependsOn": [
                    "[resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))]"
                ],
                "properties": {
                    "contentType": "text/plain",
                    "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageName'), ';', 'AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value, ';')]"
                }
            }
        ]
    }
    

20. Click the Save button to persist the template.

21. Back in the Custom deployment blade, perform the following actions:

    a. Leave the Subscription field set to its default value.

    a. In the Resource group section, select the Use existing option.

    a. In the Resource group section, locate the dropdown list and select the MOD09KVST option.

    a. In the Vault Name field, enter the name of your Key Vault instance that you recorded earlier in this lab.

    a. In the Terms and Conditions section, select the I agree to the terms and conditions stated above checkbox.

    a. Click the Purchase button.

22. Wait for the creation task to complete before moving on with this lab.

Task 6: View Key Vault Secrets

1. On the left side of the portal, click the Resource groups link.

2. In the Resource groups blade, locate and select the MOD09KVST Resource Group link.

3. In the MOD09KVST blade, select the Key Vault you recently created.

4. In the Key vault blade, locate the Settings section on the left of the blade and click the Secrets link.

5. In the Secrets pane, view the list of secrets created during this lab.

   Note: If a specific secret is not displayed, you may need to click the Refresh button at the top of the pane.

6. Click the entry for the storageConnectionString secret.

7. In the Versions blade that appears, click the latest version of the secret within the CURRENT VERSION section.

8. In the Secret Version blade that appears, click the Show secret value button.

9. Observe the value of the secret.

Review: In this exercise, you created a Key Vault instance and used various methods to add keys to the key vault.

Exercise 2: Deploy Virtual Machine using Key Vault Secret

Task 1: Retrive your Key Vault Resource Id

1. At the top of the portal, click the Cloud Shell icon to open a new shell instance.

2. In the Cloud Shell command prompt at the bottom of the portal, type in the following command, replace the [name of vault] placeholder with the name of your Key Vault instance, and then press Enter to list all resource groups in the subscription:

   az keyvault list --query [*].[id] --out tsv
   

3. Record the output value from the command. This is the resource id for your Key Vault instance.

Task 2: Edit the VM Parameters File

1. On the Taskbar, click the File Explorer icon.

2. In the File Explorer window that appears, navigate to the Allfiles (F):\Mod09\Labfiles\Starter folder.

3. Right-click the vaultvm.parameters.json file and select the Open with Code option to start the Visual Studio Code application.

4. In the Visual Studio Code window that appears, observe the content of the JSON file.

5. Locate the following string in your ARM template JSON content:

   /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>
   

6. Replace that exact string with the resource id you copied earlier in this lab for your Key Vault instance.

   For example, if your subscription id is 6e97419f-3274-aca4-6ba6-eea795fdff51, your resource group is MOD09KVST and your vault name is examplekeyvault, your resource id would look like this:

   /subscriptions/6e97419f-3274-aca4-6ba6-eea795fdff51/resourceGroups/MOD09KVST/providers/Microsoft.KeyVault/vaults/examplekeyvault
   

   Your final ARM parameter file would look like this:

   {
       "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
       "contentVersion": "1.0.0.0",
       "parameters": {
           "password": {
               "reference": {
                   "keyVault": {
                       "id": "/subscriptions/6e97419f-3274-aca4-6ba6-eea795fdff51/resourceGroups/MOD09KVST/providers/Microsoft.KeyVault/vaults/examplekeyvault"
                   },
                   "secretName": "vmPassword"
               }
           }
       }
   }
   

7. Click the File menu and then select the Save option to save the changes made to the template.

8. At the top of the Visual Studio Code window, click the File menu and select the Close Window option.

9. Close the File Explorer window.

10. Return to the Microsoft Edge window with the Azure Portal open.

Task 3: Upload the ARM Template and Parameters Files

1. In the Cloud Shell command prompt, type in the following command and press Enter to view the list of external shares mounted in your bash shell:

   df --type=cifs
   

2. The result of the query should be a single file share that is Mounted on the /usr/ directory. The name of the file share should be in the following format:

   //<storage account name>.file.core.windows.net/shell
   

3. Record the name of the Storage account associated with the file share.

   For example, if the storage account's name is cseast123, the file share name would be //cseast123.file.core.windows.net/shell

4. Close the Cloud Shell prompt at the bottom of the portal.

5. On the left side of the portal, click the All resources link.

6. In the All resources blade, locate and select the Storage account name that you recorded earlier in this task.

7. In the Storage account blade, click the Files link to view the list of file shares.

8. In the Files blade, click the shell file share in the list of shares.

9. In the File share blade, click the Upload button.

10. In the Upload files popup that appears, perform the following actions:

    a. In the Files field, click the blue folder button to the right of the field.

    a. In the Open file dialog that appears, navigate to the Allfiles (F):\Mod09\Labfiles\Starter folder.

    a. Select the vaultvm.json file.

    a. Click the Open button to close the dialog and return to the Upload files popup.

    a. Click the Upload button.

11. Return to the Upload files blade, and click the Upload button again.

12. In the Upload files popup that appears, perform the following actions:

    a. In the Files field, click the blue folder button to the right of the field.

    a. In the Open file dialog that appears, navigate to the Allfiles (F):\Mod09\Labfiles\Starter folder.

    a. Select the vaultvm.parameters.json file.

    a. Click the Open button to close the dialog and return to the Upload files popup.

    a. Click the Upload button.

Task 4: Configure Key Vault for ARM Template Deployment

1. On the left side of the portal, click the Resource groups link.

2. In the Resource groups blade, locate and select the MOD09KVST Resource Group link.

3. In the MOD09KVST blade, select the Key Vault you recently created.

4. In the Key vault blade, locate the Settings section on the left of the blade and click the Access policies link.

5. In the Access policies pane, click the Click to show advanced access policies link.

6. Ensure that the checkbox for Enable access to Azure Resource Manager for template deployment option is selected.

7. Click the Save button at the top of the pane.

8. Wait for the update operation to complete before moving on with the lab.

Task 5: Deploy a Linux Virtual Machine using a Key Vault Secret for the Password.

1. At the top of the portal, click the Cloud Shell icon to open a new shell instance.

2. In the Cloud Shell command prompt at the bottom of the portal, type in the following command and press Enter to deploy the ARM template with the specified parameters file:

   az group deployment create --resource-group MOD09KVST --template-file clouddrive/vaultvm.json --parameters @clouddrive/vaultvm.parameters.json
   

3. Wait for the creation task to complete before moving on with this lab.

Review: In this exercise, you deployed a new Linux Virtual Machine using a password stored in an Azure Key Vault instance.

Exercise 3: Cleanup Subscription

Task 1: Open Cloud Shell

1. In the Cloud Shell command prompt at the bottom of the portal, type in the following command and press Enter to list all resource groups in the subscription:

   az group list
   

Task 2: Delete Resource Groups

1. Type in the following command and press Enter to delete the MOD09KVST Resource Group:

   az group delete --name MOD09KVST --no-wait --yes
   

2. Close the Cloud Shell prompt at the bottom of the portal.

Task 3: Close Active Applications

1. Close the currently running Microsoft Edge application.

Review: In this exercise, you "cleaned up your subscription" by removing the Resource Groups used in this lab.