question

RajputSaiSrivastav-2388 avatar image
0 Votes"
RajputSaiSrivastav-2388 asked JamesTran-MSFT edited

How to use secrets from Keyvault in Azure Batch without them being exposed in the portal?

141695-screenshot-2021-10-19-155806.pngI am trying to execute an Azure batch that accepts environment variables. Currently, I am able to execute the task by reading the keys from secrets and passing them to the task, the drawback here is that the keys are exposed in the Azure portal.

Is there a way where I can still have that value as a secret on the Portal? That is, can I pass the secrets directly to the task and the Task would fetch it from KeyVault.


An example here would be the AWS Batch, We can explicitly pass the secrets and the AWS batch would automatically fetch it from the Parameter Store.


azure-key-vaultazure-batch
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RajputSaiSrivastav-2388
Thank you for your post!

  • When it comes to using Azure Batch with the Azure Key Vault, are you able to share any documentation so I can gain a better understanding of your issue?

  • When executing the tasks by reading the keys from the secret, how're you getting the keys/secrets?

  • Can you share any screenshots or more details on what you mean by - the keys are exposed in the Azure Portal.

  • What tasks are you specifically trying to run?

Any additional details, screenshots, or documentation regarding what you're trying to do would be greatly appreciated!



If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

Hey James,


1) I don't have a document for what I am trying to do, that was the reason I am looking for answer in the community.


2) I am using the following method to fetch the secret from the KeyVault
[retrieve-a-secret][1]

Blockquote
env_settings = [
batchmodels.EnvironmentSetting(name ="test_secret", value=client.get_secret("FB-SAS-token")),
]


I am passing the secret by reading it first and then passing it as an env variable.


3) Uploaded the screenshot in the Question. Basically the sensitive secrets are visible under the Environmen Settings section on the Tasks screen in Azure portal.

4) I've a python script as a part of ACR in a docker image. This script accepts variables such as Database password and other sensitive secrets in the form of environment variables.
[1]: https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-python#retrieve-a-secret



0 Votes 0 ·
JamesTran-MSFT avatar image JamesTran-MSFT RajputSaiSrivastav-2388 ·

@RajputSaiSrivastav-2388
Thank you for the quick follow up on this!

Based off your screenshot, I don't believe there's any way to hide the secret in the Environment Settings within the Azure Portal. However, since this looks more related to Azure Batch than the Azure Key Vault, I've reached out to our Azure Batch team, so they can take a look into this issue as well.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

0 Answers