Skip to content

Latest commit

 

History

History
166 lines (91 loc) · 7.21 KB

9.md

File metadata and controls

166 lines (91 loc) · 7.21 KB

Exercise 9: Securing web app connection string with Azure Key Vault and Managed Identity (Optional)

Estimated Duration: 30 minutes

In this exercise, you'll create a key vault and deploy the Azure web application using a key vault secret. You'll use a system assigned managed identity to authenticate your Azure web app with an Azure key vault using Azure Key Vault secret.

Lab objectives

In this lab, you will complete the following tasks:

  • Task 1: Setting up Azure Key vault
  • Task 2: Create and assign system assigned managed identity
  • Task 3: Securing the web app connection string with secret

Task 1: Setting up Azure Key vault

  1. Select your resource group named hands-on-lab-

    Select your resource group.

  2. Select Create inside the resource group to add a new resource.

    Lab resource group is open. Resource Add button is highlighted.

  3. Type Key Vault (1) into the search box and select Key Vault (2) from the dropdown.

  4. Select Create and click on Key Vault to continue.

  5. On the Basics tab of the key vault. Provide the key Vault name as appmod-keyvault (1), leave all other options as default and click on next (2).

  6. On the Access Configuration tab of the key vault, select the Vault Access Policy in Permission Model and select the ODL_USER_ in Access Policies.

  7. On the Review + create page, review all the options, and click on Create.

  8. After creating the Key Vault successfully, click on Go to resource.

  9. Switch to the Secrets (1) Blade and select +Generate/Import (2).

  10. On Create secret panel, enter the following details, and click on Create.

  • Upload options: Manual

  • Name: Enter DB-secret

  • Value: Enter SQL Connection String you copied in Exercise 4, Task 6, Step 3.

  1. Once the secret is successfully created, click on the newly created secret to copy the secret identifier.

  2. On the Secret Version panel, copy the Secret Identifier value and paste it into the notepad for future use.

Congratulations on completing the task! Now, it's time to validate it. Here are the steps:

  • Hit the Validate button for the corresponding task. If you receive a success message, you can proceed to the next task.

  • If not, carefully read the error message and retry the step, following the instructions in the lab guide.

  • If you need any assistance, please contact us at cloudlabs-support@spektrasystems.com. We are available 24/7 to help you out.

Task 2: Create and assign system assigned managed identity

  1. Go back to the resource list and navigate to your partsunlimited-web-(2) App Service resource. You can search for partsunlimited-web (1) to find your Web App and App Service Plan.

  2. Switch to the Identity blade under settings.

  3. On System assigned (1) managed identity, select On (2) for Status and then click on Save (3). Click on Yes for the Enable system assigned managed identity pop up.

  4. Once the managed identity is assigned, copy the ObjectID and paste it into the notepad.

  5. Go back to the resource group and search for (1) appmod-keyvault to find your Key Vault and click on it (2).

  6. From the left navigation pane, select Access policies (1) and click on Create (2) to create the access policy for key vault.

  7. Under the Permissions tab of Create an access policy panel, select the following:

    • Configure from template: Select Secret Management (1)

    • Secret permissions: select Get (2)

    • Click on Next (3)

  8. Under Principal tab, enter the system assigned managed identity (1) you copied previously on step 4 and select it (2). Click on Next (3).

  9. On the Application (Optional) tab, leave all the values to default and click on Next.

  10. Click on Create under the Review + create tab.

  11. Once the access policy creation is completed, make sure that the application access policy is listed as shown below.

Congratulations on completing the task! Now, it's time to validate it. Here are the steps:

  • Hit the Validate button for the corresponding task. If you receive a success message, you can proceed to the next task.

  • If not, carefully read the error message and retry the step, following the instructions in the lab guide.

  • If you need any assistance, please contact us at cloudlabs-support@spektrasystems.com. We are available 24/7 to help you out.

Task 3: Securing the web app connection string with secret

  1. Go back to the resource list and navigate to your partsunlimited-web-(2) App Service resource. You can search for partsunlimited-web (1) to find your Web App.

  2. Switch to the Configuration (1) Blade and select the connection string with the name DefaultConnectionString (2).

  3. Edit the keyvault secret in the @Microsoft.KeyVault(SecretUri=Secret_identifier) format. Replace the Secret_identifier with the value you have copied in task 1, step 11. Copy the edited secret value that looks as mentioned below:

    @Microsoft.KeyVault(SecretUri=https://appmod-keyvault776057.vault.azure.net/secrets/DB-secret/ffd4c9d21f8e4582956ee42b20f74e13)

  4. Select Apply when you get Save changes pop up click on Confirm.

  5. Scroll down to the connection string details and observe that the DefaultConnectionString shows the Key Vault as the Source.

  6. Switch to the Overview (1) Blade and select Default domain (2) to navigate to the Parts Unlimited website hosted in our Azure App Service using Azure SQL Database.

    Overview panel for the App Service is on screen. URL for the app service if highlighted.

    firewall

    Note: You may see a different image on the web app while accessing it, as there are multiple images moving on the web app page.

Summary

In this exercise, you have covered the following:

  • Created an Azure key vault.
  • Deployed the web application using a key vault secret.