What are the options for KeyVault authentication with Cloud Service (extended support)?

Question

What are the options for KeyVault authentication with Cloud Service (extended support)?

jc 1

It seems that Cloud Service (classic) does not support managed identity: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identities-faq

Is managed identity for Cloud Service (extended support) supported? If not, what are the options for accessing KV outside the Cloud Service (extended support) resource group? Is this possible without having to use cert for auth to outside KV?

1 answer

Your answer

Answer 1

GitaraniSharma-MSFT 50,096 Microsoft Employee Moderator

Hello @jc ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know what are the available options for KeyVault authentication with Cloud Service (extended support).

You can install the Key Vault VM extension on Azure Cloud Services (extended support) by first creating a bootstrap certificate in your vault to get a token from Azure Active Directory (Azure AD). That token will help in the authentication of the extension with the vault. After the authentication process is set up and the extension is installed, all the latest certificates will be pulled down automatically at regular polling intervals.

Refer : https://learn.microsoft.com/en-us/azure/cloud-services-extended-support/enable-key-vault-virtual-machine

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

YOGESH SHARMA 0 Reputation points

2023-06-27T11:08:34.1766667+00:00

I understand the use of Bootstrap cert for getting a token. Also from the CSES it is clear that we need to regional KV as CSES cannot access common KV. So I believe this bootstrap cert has to go to the Regional KV. Now, If I need to deploy my services across 20+ regions then I need 20+ Regional KVs and 20 different certs in the AAD App.

I am not sure this is feasible given we need to support more and more regions and creating new bootstrap cert and updating the AAD App will be needs to be done.

Can you share some light on how to address this concern?
YOGESH SHARMA 0 Reputation points

2023-06-27T11:11:08.0633333+00:00

What if I have to support 20+ regions? Do I need 20+ different Bootstrap certs and update those in the AAD App?
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-07-17T14:56:56.1666667+00:00

Hello @YOGESH SHARMA , the reason that Azure Cloud Services (extended support) enforces region boundaries is to prevent users from creating architectures that have cross region dependencies. Regional isolation is a key design principle of cloud-based applications. However, you can use the Key Vault extension to get cross subscription and cross region support for your certificates.

Refer: https://learn.microsoft.com/en-us/azure/cloud-services-extended-support/faq#when-specifying-secrets-certificates-to-be-installed-to-a-cloud-service--must-the-keyvault-resource-be-in-the-same-region-as-the-cloud-service-resource- Regards,

Gita

Share via

What are the options for KeyVault authentication with Cloud Service (extended support)?

1 answer

Your answer