Exercise - Create a Key Vault and store secrets
Create Key Vaults for your applications
A best practice is to create a separate vault for each deployment environment of each of your applications, such as development, test, and production. You can use a single vault to store secrets for multiple apps and environments, but the impact of an attacker gaining read access to a vault increases with the number of secrets in the vault.
If you use the same names for secrets across different environments for an application, the only environment-specific configuration you need to change in your app is the vault URL.
Creating a vault requires no initial configuration. Your user identity is automatically granted the full set of secret management permissions, and you can start adding secrets immediately. After you have a vault, you can add and manage secrets from any Azure administrative interface, including the Azure portal, the Azure CLI, and Azure PowerShell. When you set up your application to use the vault, you'll need to assign the correct permissions to it; we'll see that in the next unit.
Create the Key vault and store the secret in it
Given all the trouble the company's been having with application secrets, management has asked you to create a small starter app to set the other developers on the right path. The app needs to demonstrate best practices for managing secrets as simply and securely as possible.
To start, you'll create a vault and store one secret in it.
Create the Key Vault
Key Vault names must be globally unique, so you'll need to pick a unique name. Vault names must be 3-24 characters long and contain only alphanumeric characters and dashes. Make a note of the vault name you choose, as you'll need it throughout this exercise.
To create your vault, run the following command in Azure Cloud Shell. Make sure to enter your unique vault name to the
az keyvault create \ --resource-group <rgn>[sandbox resource group name]</rgn> \ --location centralus \ --name <your-unique-vault-name>
When it finishes, you'll see JSON output describing the new vault.
The command used the pre-created resource group named
Add the secret
Now, add the secret: our secret will be named SecretPassword with a value of reindeer_flotilla. Make sure to replace
<your-unique-vault-name> with the vault name you created in the
az keyvault secret set \ --name SecretPassword \ --value reindeer_flotilla \ --vault-name <your-unique-vault-name>
You'll write the code for your app shortly, but first you need to learn a bit about how your app is going to authenticate to a vault.