How to securely deal with secrets in Azure VM Applications

Dirk Dulfer 0 Reputation points
2023-11-08T12:59:34.8933333+00:00

I am using VM Applications along with a Policy to ensure VMs have mandatory tools installed.
Some of those tools require API credentials to communicate with the management platform.

Besides scheduled remediation tasks, I would like the VM owners to be able to manually install the VM Application. At their convenience, in their maintenance window. Allowing Reader access to the apps will enable this.

However, API credentials are passed as parameters in the VM Application's install script, which makes them visible to all that have reader (or better) access to that VM app. The documentation does not describe a way how VM Apps can securely store their secrets. I could not discover i.e. Key Vault support.

What is the recommended approach to keep these secrets hidden?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,448 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2023-11-09T11:27:25.69+00:00

    Hi @Dirk Dulfer ,

    Thanks for reaching out.

    You can achieve this is by using Azure Key Vault to store the secrets and then retrieve them during the installation process.

    You can use the Custom Script Extension to install the VM application and retrieve the secrets from Key Vault.

    You can store sensitive data in a protected configuration, which is encrypted and only decrypted inside the virtual machine. The protected configuration is useful when the execution command includes secrets such as a password or API keys.

    Here's an example of how you can use the Custom Script Extension to retrieve secrets from Key Vault:

    1. Create a Key Vault and store the API credentials as a secret in the Key Vault.
    2. Create a managed identity for the VM and grant it access to the Key Vault.
    3. In the Custom Script Extension configuration, specify the script location and the command to be run.
    4. In the protected configuration, specify the Key Vault URL, the secret name, and the managed identity client ID.

    Reference - https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows

    https://learn.microsoft.com/en-us/azure/key-vault/general/tutorial-net-virtual-machine?tabs=azure-cli

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.