Azure IoT Edge Deployments with secure ACR access keys using Azure Key Vault

Dhanavath Vishnu 366 Reputation points
2023-11-15T17:39:32.8933333+00:00

Hi Team,

Greetings for the day!!!

I am having scenario, ideally, we will code the private container registry access keys in azure IoT Edge layered deployment in the following way:

      "properties.desired.runtime.settings.registryCredentials.modulename": {
        "address": "#ACR_ADDRESS#",
        "password": "#ACR_PASSWORD#",
        "username": "#ACR_USERNAME#"
      }

These values like address, password and username variables are getting replaced during the azure DevOps pipeline run with respect to the environment, now I want to be secure these keys don't want to expose directly in the IoT Edge layered deployment. For this I want to store my azure container registry access keys in the azure key vault, then access through the key vault, for this to be execute, how should I store the key vault access in my IoT Edge layered deployment template, is there any format to store the azure key vault access in IoT Edge layered deployment?

If my understanding is not correct, please suggest a better way to secure my azure container registry access keys on Azure IoT Edge layered deployment template.

Thanks

D. Vishnu

Azure IoT Edge
Azure IoT Edge
An Azure service that is used to deploy cloud workloads to run on internet of things (IoT) edge devices via standard containers.
580 questions
{count} votes

Accepted answer
  1. LeelaRajeshSayana-MSFT 16,701 Reputation points
    2023-11-16T01:29:04.6433333+00:00

    Hi @Dhanavath Vishnu Greetings! Thank you for posting this question here.

    Referencing Key Vault credentials in Azure IoT Layered deployment is currently not supported. The product team has further stated that there is no way to avoid storing the clear text with the current implementation.

    However, the team has mentioned a couple of measures can help improve the security posture:

     

    1. Use a repository-scoped credential with AcrPull role access as suggested in Manage-access-to-your-container-registry. The steps mentioned in this section to use create a service principal has to be executed from Azure CLI and cannot be incorporated into IoT Edge deployment directly.
    2. Use IoT Hub RBAC to limit user access to module twin data so that not all users can have access to module twin data.

    If the response helped, please do click Accept Answer and Yes for the answer provided. Doing so would help other community members with similar issue identify the solution. I highly appreciate your contribution to the community.


1 additional answer

Sort by: Most helpful
  1. Dhanavath Vishnu 366 Reputation points
    2023-11-22T17:34:22.9133333+00:00

    Hi @LeelaRajeshSayana-MSFT ,

    I have tried the set secret variable and azure key vault method to make the ACR credential secure on IoT Edge deployments. I don't think both these methods are useful in IoT Edge deployment scenarios, as they are not making the ACR user name and password secure on the IoT Edge deployment template.

    I was exploring IoT Edge production check list provided by Microsoft in the following link:

    https://learn.microsoft.com/en-us/azure/iot-edge/production-checklist?view=iotedge-1.4#manage-access-to-your-container-registry

    In this it was mentioned two methods, but I am not very familiar with, how can we apply in the IoT Edge deployment template. Can you please connect with your team, who can provide a sample solution for applying these methods in IoT Edge production deployments with ACR.

    Thanks for your help.

    Regards

    D. Vishnu

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.