I need to automate a task and I'm going to store some variables and secrets that I need for future scripts.
Is there a way that to access my key vault without using the command Connect-AzConnect, and without using a specific user to do so?
Right now I'm using the command Get-AzKeyVaultSecret, I've noticed the argument -DefaultProfile, but I'm not sure how to use it.
Thank you in advance.
Related
I have created some cloud functions. I have functions that rely on a custom claim that has admin as a role. I want to be able to create a default user (set in an environment variable) to have admin role so it can be used to assign others if needed but can only be created during deployment. Is that possible to put in cloud functions so it creates a user when deploying the functions?
Is that possible to put in cloud functions so it creates a user when deploying the functions?
No. Any accounts required for deployment must exist prior to deployment. Whatever command you're running (gcloud or firebase CLI) can't double up work in a single command. You would need to run at least two commands to get everything set up, or create your own program or script that does all the work in one shot.
Currently I am using keycloak on postgres db. and the db creds are provided to environment files. Wanted to know how I can make keycloak obtain the db creds from keyvault something like Azure keyvault ? Is there any documentation / guideline around it?
As per the official documentation ,some part already done but look like still work in progress
To use a vault, a vault provider must be registered within Keycloak.
It is possible to either use a built-in provider described below or
implement your own provider. See the Server Developer Guide for more
information.
To obtain a secret from a vault instead of entering it directly, enter the following specially crafted string into the appropriate field: ${vault.entry-name} where you replace the entry-name with the name of the secret as recognized by the vault.
https://www.keycloak.org/docs/latest/server_admin/#_vault-administration
https://issues.redhat.com/browse/KEYCLOAK-3205
I have configured my service fabric services to use Azure Key Vault for configuration. If, after the app is deployed, I change the config in Key Vault, how do I then restart the affected service so it can pick up the new config value?
Or is there another way altogether?
The best way to handle configuration on SF is use your application parameters file for this, if you use a continuous deployment pipeline like VSTS, you could use release variables to set these values for you and deploy a new version of your configuration file and let SF do the rest.
But in case you still need to use Key vault:
if you are using asp.net core, Using Azure Key Vault to store secrets are like loading configuration files, the values are cached until you reload it.
You can use the IConfigurationRoot.Reload() to reload the secrets from your key vault new values. Check it Here
The trick now is to make it automatically you have to:
Enable Key Vault Logging to track the changes, this will emit logs once you update the key vault. check it here and here .
And then:
Create an endpoint in your API to be called and refresh the secrets. Make it secure to avoid abuse.
Create an Azure function to process these logs and trigger the endpoint
Or:
Create a message queue to receive the command and the system read the message to refresh the settings
Or:
Make a timer to refresh on specific periods(I would not recommended this approach because you might end up with outdated config, but it is easy and useful for quick test scenarios, not production)
Or if you prefer more custom designed solution, you could create your own ConfigurationProvider based on KeyVault and do the cache logic according to your app architecture and you don't have to bother with the rest. Please refer to the Asp.Net source here for this.
The documented way to provide configuration to your services is by using the 'configuration' part of your application package.
As this is versioned, it can be upgraded, without requiring your services to be upgraded or even be restarted.
More info here and here.
We need to create and Key Vault and populate it (or generate) with secrets, then reference them as passwords to SQL servers (PaaS) at the next build step. What would be the best approach to do that?
There are many ways to create/update Azure Key Vault, such as Azure PowerShell, Azure CLI, REST API, also there are Azure PowerShell and Azure CLI tasks in VSTS build/release. So do it with Azure PowerShell or Azure CLI.
To create/update the variable in build/release, you can use Logging Command (##vso[task.setvariable]value), then the variable can be used in subsequent task.
On the other hand, if you just want the variable secret, you just need to add a build or release variable and click lock icon to set the variable secret.
I have a case where the RunDeck scripts do need some credentials in order to run. Obviously we do not want to store these in the job definitions because these are visible and also stored in SCM.
While I was able to use the Key Storage vault to put these secrets in, I was not able to find a way to access them from the job itself.
Rundeck 2.6.2 (released 2015-12-02) allows you to specify key storage secrets as default values for secure job options. See Secure Options using Key Storage