Key Vault for Azure virtual machines extension
In this post
On November 14th Microsoft announced the general availability of the Azure Key Vault Virtual Machine extension. This extension makes it easier for applications running on virtual machines to use certificates from a key vault, it achieves this by abstracting away some of the more tedious tasks. It has also been build with some of Microsoft’s best practices regarding authentication, network error handling, caching, periodic refreshes of certificate from the key vault, and binding the certificate for Transport Layer Security (TLS).
This is great for when you want to take advantage of the capabilities that Key Vault offers you out of the box, along with all the technicalities that comes with fetching tokens or writing a whole slew of Azure Automation scripts to make it all work together.
Operating System requirements
The Key Vault VM extension supports the following versions of Windows:
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012
Let’s not forget that Linux is supported as well. The extension works with these Linux distributions, though take into account that that RHEL is missing:
- Ubuntu 16.04
- Ubuntu 18.04
- Debian 9
- Suse 15
Deploying the extension solely through a Powershell script
The official documentation does an excellent job explaining how you should deploy the extension by using an ARM template so I will not cover it here, instead we will do it entirely through Powershell.
Script dependencies
You will need the Azure Powershell.
If you are macOS or Linux user, running Powershell 6.2+ as I am, you might want to install the following module through the Powershell gallery. If you’re on Windows you can optionally skip this step if you want to run the script on Powershell 5.1, though if you want to run it through Powershell Core you will still need to install the following module.
*Note that this module will not do you much good if you try to execute the extension script inside of a Docker container running Powershell Core.
|
|
Script walk-through
Let’s start by login in to your Azure tenant, afterwards you will be prompted to choose a subscript and subsequently a resource group.
|
|
Next up we will select a key vault, which should reside inside the resource group you just selected. Afterwards you will select a single certificate, from which we will create a vault secret id.
|
|
To make it so our extension is able to get access tokens to use with certain Azure Key Vault we will need to enable a system assigned managed identity.
A managed identity is a essentially an object in the resource its subscription, its associated Azure Active Directory. The object represents an Azure resource, this allows for the VM to authenticate without having to store credentials on the machine. You are basically trusting this specific Azure VM to access certain Azure resources. A system-assigned managed identity is enabled directly on a single Azure service instance.
|
|
Great, we’ve got our managed identity provisioned. All that’s left for us to do now is to set an Key Vault Access Policy that will allow our VM, with its Key Vault extension, to call in to our Key Vault of choice.
Since the managed identity is set to the Azure VM itself any process will be able to call into the Key Vault as long as it knows the URL to the Key Vault, needless to say that we want to apply the principle of least privilege here. We will allow our managed identity to perform get and list operations on keys and secrets.
|
|
To provision the Key Vault Extension for Windows you can simply set the following settings and pass it off to the Azure Resource Manager. You may remember our $vaultSecretId
from earlier, we have to pass it along in the settings in order to have the extension monitor it for changes. Feel free to adjust the settings to whatever suits you.
Be careful to pass in a string as a value for the pollingIntervalInS, a number will not do the job.
|
|
As for Linux, you will only need to alter the script ever so slightly.
Again, pass in a string as a value for the pollingIntervalInS and not a number.
|
|
And with that said I hope the Key Vault for Azure virtual machines extension becomes just a little less daunting for you.
Related posts
- Azure Confidential Computing: CoCo - Confidential Containers
- Azure Confidential Computing: Confidential Temp Disk Encryption
- Azure Confidential Computing: Secure Key Release - Part 2
- Azure Confidential Computing: Azure RBAC for Secure Key Release
- Azure Confidential Computing: Secure Key Release
- Windows Containers: Azure Pipeline Agents with Entra Workload ID in Azure Kubernetes Service
- Register Azure Pipeline Agents using Entra Workload ID on Azure Kubernetes Service
- Azure Confidential Computing: Microsoft Azure Attestation
- Azure Confidential Computing: Verifying Microsoft Azure Attestation JWT tokens
- Azure Confidential Computing: Confidential VMs
- Azure Confidential Computing: IaaS
- Azure Confidential Computing