No More Plaintext Passwords: Using Azure Key Vault with Azure Resource Manager

Published on
Reading time
Authors

A big part of where Microsoft Azure is going is being driven by template-defined environments that leverage the Azure Resource Manager (ARM) for deployment orchestration.

If you've spent any time working with ARM deployments you will have gotten used to seeing this pattern in your templates when deploying Virtual Machines (VMs):

vm-snippet.json
"osProfile": {
    "computername": "[variables('vmName')]",
    "adminUsername": "[parameters('adminUsername')]",
    "adminPassword": "[parameters('adminPassword')]"
}

The adminPassword property accepts a Secure String object which contains an encrypted string that is passed to the VM provisioning engine in Azure and is used to set the login password. You provide the clear text version of the password either as a command-line parameter, or via a parameters file.

The obvious problems with this way of doing things are:

  1. Someone needs to type the cleartext password which means:
    1. it needs to be known to anyone who provisions the environment and
    2. how do I feed it into an automated environment deployment?
  2. If I store the password in a parameter file (to get around 1.B) I risk leaking the password should someone access the file (typically from source control).

Thankfully, Microsoft now provides a way to help solve these challenges.

Say hello to Azure Key Vault

Key Vault can store two types of information: Keys (Certificates) and Secrets.

In our scenario we are interested in the storing of Secrets which fit perfectly with our Secure String requirements for passwords.

Firstly I'm going to provision a Key Vault instance - note that this doesn't need to be in the same Region or Resource Group as your intended deployment. In fact, I'd argue that you wouldn't provision your Vault in the same Region (or Resource Group) as your deployments to restrict access to the Key Vault as much as possible.

provision-vault.ps1
# Log into our Account.
Login-AzureRmAccount
# Create a new Resource Group
New-AzureRmResourceGroup -Name 'sw-sec-demo' -Location 'West US'
# Create new Key Vault instance - important to add "EnabledForDeployment"
New-AzureRmKeyVault -VaultName 'ProvisioningVault' `
                     -ResourceGroupName 'sw-sec-demo' `
                     -Location 'West US' `
                     -EnabledForTemplateDeployment

Once the Key Vault is provisioned we are ready to push our passwords into it as Secrets.

I think its worth noting that a Secret has a lifecycle - you can update a Secret once created (i.e. publish an updated password to the same Secret) which means you can request specific versions of Secrets over time. This is beneficial to our scenario because it allows us to support multiple environments at different stages of their lifecycle.

For example: need an environment from two years ago? No issue - just request it be provisioned with the password (Secret) that was valid at that point in time.

Let's go ahead and add a password to our Vault.

create-secret.ps1
# Convert plaintext to secure string
$adminPass = ConvertTo-SecureString -String 'L0Lcat5^_^!' -AsPlainText -Force
# Add the password as a Secret
Set-AzureKeyVaultSecret -VaultName 'ProvisionVault' `
                        -Name 'LocalAdminPass' `
                        -SecretValue $adminPass

I could, additionally, specify a validity date range for this Secret using the NotBefore and Expires arguments. For this blog we'll just leave it to be valid until updated with a new value.

The above PowerShell will return the following output from which we can grab the 'ID' of the Secret which we will use later.

Vault Name   : provisionvault
Name         : LocalAdminPass
Version      : 2c585ddc60f54d048767924d0125ede5
Id           : https://provisionvault.vault.azure.net:443/secrets/LocalAdminPass/2c585ddc60f54d048767924d0125ede5
Enabled      : True
Expires      :
Not Before   :
Created      : 23/11/2015 01:58:26
Updated      : 23/11/2015 01:58:26
Content Type :
Tags         :

Using in ARM templates

Now we have our password stored as a Secret in a Key Vault we can go ahead and use it in an ARM template.

At present the way we supply Key Vault Secrets to ARM templates is via use of parameters file. If we use our original snippet for VM creation (shown below)

vm-snippet.json
"osProfile": {
    "computername": "[variables('vmName')]",
    "adminUsername": "[parameters('adminUsername')]",
    "adminPassword": "[parameters('adminPassword')]"
}

we can feed in the Secret we pushed to our Key Vault using the below snippet in our parameters file.

keyvault-params-def.json
 "adminPassword": {
     "reference": {
        "keyVault": {
          "id": "/subscriptions/{subscription-guid}/resourceGroups/{keyvault-rg}/providers/Microsoft.KeyVault/vaults/ProvisioningVault"
        },
        "secretName": "LocalAdminPass"
      }
  }

In order to deploy this template we must use the Azure CLI tools with the following command:

azure group deployment create -n {deploymentname} -g {resourcegrop} -f {template}.json -e {template-parameters}.json

Once the deployment is finished you will find that the provisioned VM(s) are now accessible with the password that had been securely held in the Key Vault!

Where can I use this?

I've tested in a range of scenarios from VM provisioning (Windows and Linux) through to Azure SQL Database Server setup, and they all support this technique.

I did find at least one scenario that didn't work... which I'll cover next.

Limitations

You probably spotted that I switched from PowerShell earlier in the blog to do the final deployment with the Azure CLI. At time of writing the PowerShell Cmdlets (v1.0.0 / 1.0.1) don't support the feeding of a Key Vault reference to an ARM template so for your final deployment step (or all of your steps if you want) you need to use the CLI.

Additionally, some existing ARM deployment scenarios such as "deploy AD-domain joined VMs" that leverage extensions like the DSC one, don't appear to support the feeding of Key Vault secrets into them (and a result fail). I'm still troubleshooting this one so if I find a resolution I'll post an update here.

Finally, I also find the supplying of the Key Vault and Secret details in the parameters file a little restrictive. I tried changing the actual template to reference the Key Vault but it's not an approach that is supported and your deployment fails.

Summary

Having been working with Azure for quite some time it's interesting to see the transition of the platform to the new ARM-based model (also known as the 'v2' platform) and the possibilities it opens up such as the one shown here.

If you're doing a lot of template-based deployments that include passwords stored in parameter files (or other insecure stores) then this approach should provide you with a lot of value (and comfort). Also, if as an IT Pro you are concerned about locking down environments so that only the right groups of users can login and modify configurations, this approach should be high on your list.

As always, leave any comments or questions below.

Simon.