Share via

Azure DTL - Mounting a file share with credentials stored in a keyvault

Juergen Swoboda 1 Reputation point
2021-06-30T21:32:10.513+00:00

Hello,

we have an artifact which mounts a file share from a specific storage account, as described here: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-quick-create-use-windows. That works fine. The bad thing with this approach is, that the storage account key must be stored in cleartext inside the powershell script. To avoid that, I have set up a keyvault with the secrets I want to use. But how can I connect to a keyvault inside an artifact? As far as I know, artifact installation always runs under the "NT_Authority\System" account. Sure, I could do a "Connect-AzAccount", but that Cmdlet needs a credential object aswell. Can I run an artifact under a user principal, which has access to the keyvault? Or are there better ways to do this?

Any help is appreciated.

Azure DevTest Labs
Azure DevTest Labs
An Azure service that is used for provisioning development and test environments.
262 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Samara Soucy - MSFT 5,051 Reputation points
    2021-07-07T04:16:35.683+00:00

    This solution is a good one- to get the VM access to Key Vault without saving credentials there is one extra step. You can add a User-Assigned Managed Identity to all of your VMs in the DTL instance using the policies. Any existing VMs will need to be restarted for this to be applied to them. In contrast, a regular service principal login would still need credentials.

    ![112378-add-identity-button.png]2

    From there, you can use Connect-AzAccount -Identity to login to Azure Powershell without credentials via that managed identity. You can give that managed identity access to the required information in Key Vault and apply the file share from there.

    0 comments
  2. Juergen Swoboda 1 Reputation point
    2021-07-07T10:34:04.39+00:00

    Hello SamaraSourcy-MSFT,

    works like a charm, thank you very much! :)

    Just one more question. First, I´ve set up a managed identiy and gave it the "Read" and "List" permission in the keyvault (Vault access policy). But when I first tried out my script, I got the error message "Get-AzKeyVault : 'this.Client.SubscriptionId' cannot be null.".

    So I gave the account the "Read" permission at the subscription level. Do I need the "Read" permission on the whole subscription or is there a more restricted permission which I can set?

    Kind regards
    Juergen