Passwordless ARM templates using Azure Key Vault

We at Nordcloud implement ARM templates on the Microsoft Azure platform regularly. In parameters, we sometimes operate with confidential data and store them in private repositories such as Azure DevOps Repos, Github or others. To maintain security at a high level, we should use solutions adapted to storing passwords (secrets).

Below I will describe how we can implement a sample Azure Key Vault to store passwords and implement a virtual machine that will use the Azure Key Vault password during deployment.

Required for this task

  1. ARM template Azure Key Vault:
    1. Link: https://github.com/Azure/azure-quickstart-templates/tree/master/101-key-vault-create
  2. ARM template virtual machine:
    1. Link: https://github.com/Azure/azure-quickstart-templates/tree/master/101-vm-simple-linux

Prerequisites

  1. Powershell Core with Az module or Azure CLI
    1. PowerShell Core: https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-windows?view=powershell-7.1
    2. Az Module: https://www.powershellgallery.com/packages/Az/5.5.0
    3. Azure CLI: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli

If you’ve never deployed a code before, you can check how to do it on this page: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-powershell

Let’s get started!

First, we create a resource group for Azure Key Vault with the command:

New-AzResourceGroup -Name my-test-keyvault -Location westeurope

Then we deploy Azure Key Vault from a ready template using the command:

New-AzResourceGroupDeployment -ResourceGroupName 'my-test-keyvault' -TemplateUri 'https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-key-vault-create/azuredeploy.json' -keyVaultName myTestKeyVaultNC -objectId 'YOUR-OBJECT-ID' -secretName 'secret1' -secretValue $(ConvertTo-SecureString ‘PASSWORD' -AsPlainText -Force) -enabledForDeployment $true

Hints

  • objectID – that is the user ID or SPN object that is to access this password from Azure Key Vault
  • enabledForTemplateDeployment – with the setting true because it allows us to retrieve the password during deployment
  • secretsPermissions – this will allow us to get and list the password
  • secretValue – in the password field, enter the password you want to enter in the Key Vault. Here you can also use a password generator to automatically send you a generated password that nobody knows

Screen from Azure Key Vault – secrets:

Screen from Azure Key Vault – Access policy:

We start deploying a virtual machine by creating a new resource group:

New-AzResourceGroup -Name my-test-vm -Location westeurope

Then we need to create our own parameter file on the disk to refer to Azure Key Vault. Save the parameters file locally: https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm-simple-linux/azuredeploy.parameters.json

Then change the values to as below:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "adminUsername": {
      "value": "USRE-NAME"
    },
    "adminPasswordOrKey": {
      "reference": {
          "keyVault": {
          "id": "/subscriptions/ID-SUBSCRIPTION/resourceGroups/my-test-keyvault/providers/Microsoft.KeyVault/vaults/myTestKeyVaultNC"
          },
          "secretName": "secret1"
        }
    },
    "dnsLabelPrefix": {
      "value": "UNIQ-DNS-NAME"
    }
  }
}

If you don’t know what your Key Vault Resource ID is, use the command:

(Get-AzKeyVault -ResourceGroupName my-test-keyvault -VaultName myTestKeyVaultNC).ResourceId

To run deployment with reference to Azure Key Vault, execute the command:

New-AzResourceGroupDeployment -ResourceGroupName 'my-test-vm' -TemplateUri 'https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm-simple-linux/azuredeploy.json' -TemplateParameterFile/azuredeploy.parameters.json

Summary

We implemented the Azure Key Vault template with a password and additional access for your user ID. You then used the reference to Azure Key Vault in the parameters file to implement the password from the Key Vault for the virtual machine deployment.

It is a solution for password management during deployments and for designing confidential data of choice for selected users. The above solution can be implemented using Azure DevOps and fully automated to keep all confidential parameters and have up-to-date data retrieved from Azure Key Vault during the implementation.

If you liked the post, share it!

Read more cloud blog texts on our Community & Culture pages.

We at Nordcloud are constantly hiring Azure experts – check the open positions here, apply and join our learning community!

Related Content

Blog

Are you too late to go cloud native?

You’re never too late to choose a cloud native approach, no matter what stage of cloud maturity or digital transformation...

Blog

Why do so many CCoEs fail?

When you reach a certain stage of cloud adoption, you set up Cloud Centres of Excellence (CCoE). There are noble...

Blog

Part 1 – GCP Networking Philosophy

When working with cloud architecture, it's important to see the world from different perspectives.

Get in Touch

Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.