I'd like to be able to do the following:
Generate an ApplicationPassword without generating the actual value for the password (let Azure do it, similar to the way Azure generates the secret value for you in the UI, or that secretText is a return value from this azure api method: https://learn.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http)
Put that secret in an Azure key vault
Redeploy the stack without having it generate a new secret everytime
Is this possible?
The reason I'd like to not specify the secret value, is that I then need to commit the secret value to code, which I don't want.
The only workaround I can think of is generating the secret value in code, storing it in keyvault, retrieving it from keyvault and using that to create the ApplicationPassword, but then that would cause Pulumi to create a new secret in the keyvault (and then a new ApplicationPassword) each time I deploy the stack.
You can use the RandomPassword resource to generate a password that is stable between multiple runs of the same stack. It's generated once and then stored in the state file.
const password = new random.RandomPassword("password", {
length: 16,
special: true,
});
// use password.result somewhere
Related
I'm using the set secret PUT API https://myvault.vault.azure.net/secrets/mysecret/ to either create or update an existing secret in my key vault.
The API calls still work for me for now. I'm wondering if there will be future changes to this API as the documentation for it is no longer available online and there's only mentions of powershell commands?
Please check if you are looking for this document , where you can find in keyvault blade > secrets .
Set-secret
:
PUT {vaultBaseUrl}/secrets/{secret-name}?api-version=7.2
This operation adds a secret to the Azure Key Vault. If it already
exists, Azure Key Vault creates a new version of that secret. Needs
secrets/set permission.
Update-secret :
PATCH {vaultBaseUrl}/secrets/{secret-name}/{secret-version}?api-version=7.2
The UPDATE operation changes specified attributes of an existing
stored secret. This operation requires the secrets/set permission.
Quote from the aws cdk docs:
If you need to use a pre-existing secret, the recommended way is to manually provision the secret in AWS SecretsManager and use the Secret.fromSecretArn or Secret.fromSecretAttributes method to make it available in your CDK Application
Why is that? Is it because it's not ideal to save the plain text secret into code?
Or we don't want the secret to appear in the cloudformation template?
Yes and yes. Earlier CDK versions did not even permit passing text values to the Secret constructor. We only recently got the secretStringBeta1: string prop along with a stern warning:
It is highly encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
Our CDK code and generated templates are meant to be deterministic and version-controlled, further heightening the risk of leakage if plaintext secrets are used.
Edit: Per #gshpychka's comment, a safe alternative to importing with Secret.fromSecretArn is to construct a new Secret without a secret value. This creates a secret with a random password, which you change post-deploy in the Console. This approach helpfully ties the secret's lifecycle to the Stack and lets you set its properties in the context of the Stack.
I have a scenario for using Azure Key vault.
I have stored a refresh token in Key Vault. Retrieved the token from key vault in ADF using the web activity. Call the service provider endpoint to generate the Access Token based on refresh token.
I want to store above generated Access token from ADF to Key Vault. How Can i do that?
I went through many articles but did not find any solution on storing the information generated in ADF to Key Vault.
Any help is much appreciated.
Thanks
You can make Rest API call from Azure Data Factory using web activity to store secret in to Azure Key Vault.
Here is the link for Rest API reference:
Sets a secret in a specified key vault.
The SET operation adds a secret to the Azure Key Vault. If the named secret already exists, Azure Key Vault creates a new version of that secret. This operation requires the secrets/set permission.
Set Secret - REST API (Azure Key Vault)
Learn more about [Key Vault Set Secret Operations].
How can I set a variable with the value that I have stored in a KeyVault secret?
Update:
Hi #willy sepulveda. We only can secure the input and output in Web Activity,like follows:
Input and output data will be sensitive:
You can use Web activity to access the Key Valut value. Refer this documentation. I also created a test.
Open the properties of your data factory and copy the Managed Identity Object ID value. Open the key vault access policies and add the managed identity permissions to Get and List secrets.
Then I created a secret named myKey and set the value helloworld.
Note: The name of the secret (myKey) will be used below at Step 5.
Declare a String type variable named myVar in ADF pipeline.
In Web1 activity, select Sceure output.
Web1 activity settings
URL: https://<your-keyvalut-name>.vault.azure.net/secrets/<your-secret-name>?api-version=7.0.
You need replace keyvalut name and secret name.
Authentication: Select Managed Identity.
Resource: Enter https://vault.azure.net.
In Set variable1 activity, add dynamic content #activity('Web1').output.value.
Debug result: I can see that the variable successfully received the secret value.
I have a terraform project that accesses a google cloud bucket. All pull requests are done through github. However, I'm not sure where I'm supposed to securely store my bucket credentials? Of course I don't want to upload them to github but I'm not sure where they should be kept. This is my variables file
variable "credentials_filepath" {
default = "../../../creds.json"
}
And this is my main file
provider "google" {
credentials = file(var.credentials_filepath)
project = var.project
region = "europe-west2"
zone = "europe-west2-a"
}
The main idea is to store the secrets securely in a secrets manager and to use a wrapper that makes the secrets available as environment variables only for the duration of the wrapper process.
Among the tools that I can recommend: pass, gopass, summon.
For example, once the secrets are stored in GPG and you have the gpg-agent configured, you can run:
TF_VAR_secret=$(pass gc/myproject) terraform ...
This will tell the shell to set the environment variable TF_VAR_secret to the output of pass gc/myproject.
That command tells pass to use gpg and gpg-agent to read the value of the secret stored at gc/myproject.
secret is a Terraform variable and TF_VAR_secret tells Terraform to fill that variable from that environment variable. (See Terraform documentation).