Functionality and Usage of Key Vault - AZ-900 Certification Course

00:01

in this lesson we're going to explore

00:02

the functionality and usage of azure key

00:05

vault

00:06

now very often we're going to have some

00:09

application

00:13

that needs

00:14

a secret it needs maybe a password

00:18

maybe it needs some kind of shared

00:21

access signature or token to access some

00:24

other service maybe i need to go and

00:26

access some database something else

00:30

and we don't want to put those secrets

00:33

within our application code it's going

00:35

to get leaked it's not secure

00:37

i might need

00:39

keys i might need to store a private key

00:41

and perform cryptographic operations

00:44

then we have a whole set of web servers

00:46

and i'm using certificates so i need to

00:48

think about how do i distribute those

00:49

certificates how do i manage the life

00:52

cycle like renew them

00:54

so azure keyboard

00:56

is a service in azure that is designed

00:59

for exactly this

01:02

it supports three different types of

01:05

entity

01:06

so we have a secret

01:09

so a secret is something that i can both

01:12

read

01:14

and write

01:17

i.e it could be a password it could be

01:20

some

01:21

shared access signature but i can

01:24

add that secret to the key vault and i

01:26

can read it back out

01:28

then there's the idea of keys

01:31

now with a key i can generate it

01:34

i can import it so i could bring in an

01:37

existing

01:38

i can perform cryptographic actions

01:41

within the key vault

01:43

but i cannot export it i cannot get it

01:44

out

01:45

it lives within that key vault

01:48

and then i have to use it via the key

01:50

vault

01:51

then there's the idea of

01:52

certificates this is really all about

01:55

kind of the life cycle management

01:58

of those certificates

02:00

and also the distribution of them

02:04

now for some of these entities i have

02:06

the option of actually running this

02:08

azure key vault and the storage and

02:10

usage on top of hsms

02:14

so hsms are actual hardware security

02:17

modules designed for the storage and

02:20

safe keeping

02:21

of these types of entity that i want to

02:24

protect so these three different types

02:27

in terms of interacting with the key

02:29

vault you obviously it's an azure

02:30

resource so i have to authenticate to it

02:33

and then i can be given permission

02:35

to these now currently there's two

02:38

different types of authorization in

02:40

azure kevo

02:41

if we jump over and look at a key vault

02:44

what we can actually see

02:46

is

02:47

we have the old style so the old style

02:52

is when i look at my security we have an

02:56

access policy

02:58

and so an access policy is really just

03:00

about the idea i can add a certain user

03:03

and i can specify what permissions they

03:06

get

03:07

but it's for each of the three types but

03:09

it's not granular

03:11

i don't have the ability

03:14

to say well i get this permission to

03:15

read a specific secret

03:18

so i have the option of access policy

03:22

but it's not granular

03:24

it would be for everything of that type

03:27

within the vault

03:29

so in that model if i wanted people to

03:32

only have access to certain secrets i'd

03:34

have to put them in a different vault to

03:36

give them that set of permissions

03:38

or

03:40

i can use role-based access control

03:43

so in role-based access control that is

03:45

granular so i can think about hey i get

03:48

a great granularity

03:50

that i could have lots of secret or keys

03:52

or certificates in a single vote and

03:55

give different people access to

03:56

different secrets to different keys to

03:59

different certificates and perform

04:00

different actions

04:01

whereas access policy

04:03

it's really no granularity

04:06

it's just hey everything

04:08

within the vault of a certain type so

04:11

generally we're going to prefer that

04:12

role-based access control option and we

04:14

can see that so if i jump over to my

04:17

other keyboard

04:19

here if i look at my access policy i've

04:22

selected to use

04:24

azure role-based access control so i'm

04:26

not configuring any permissions here

04:30

i use the regular access control

04:33

and i do role assignments

04:35

and within here i can see things like

04:37

well there's a key vault administrator

04:40

but then i actually have different

04:43

permissions

04:45

on the actual different entities

04:46

themselves so at the key vault level

04:48

well i can't really see very much

04:51

because what i've done is i have

04:53

different secrets

04:54

and at an individual

04:56

secret levels if i select secret one

04:59

it has its own access control

05:02

and here we can see on this particular

05:04

secret hey clark kent

05:07

was given

05:09

the key vault reader role

05:11

and i can also see for a key vault

05:13

secrets user

05:16

hey bruce wayne actually has the ability

05:18

to use the secrets so this particular

05:21

secret bruce wayne can use but not clark

05:25

kent clark kent just says regular key

05:27

vault reader at the kind of the azure

05:28

resource manager level but doesn't have

05:30

access to the secret itself

05:32

if i looked at my other secret secret 2

05:36

looked at its access control

05:39

well then we'll see

05:41

hey this time

05:43

key vault secrets user

05:46

is clark kent so clark kent can read

05:49

this secret and not bruce wayne so we

05:52

get this really nice granularity

05:55

that we can do

05:57

now

05:58

one thing that's actually super common

06:00

is obviously i have to authenticate to

06:02

the keyboard in the first place i have a

06:03

chicken and egg problem i can't store

06:05

the password in the key vault that the

06:07

app's going to use to authenticate to

06:08

the keyboard

06:10

so a very common

06:11

combination of technologies is if this

06:14

was running in azure there's something

06:16

called managed identity

06:18

so managed identity is an identity that

06:22

is tied to

06:24

a particular instance of a compute

06:26

resource

06:28

and then what i could actually do as

06:29

part of this rbac for example or the

06:31

policy

06:32

i could give the apps managed identity

06:35

which is built in it's just available as

06:37

a token it can leverage

06:39

i would give that identity so app one's

06:43

managed identity some of these

06:44

permissions

06:49

so it's authenticated with its built-in

06:51

managed identity

06:52

and then it gets permissioned to

06:54

whatever its identity was given access

06:57

to

06:58

so that's really the idea

07:00

no azure key vault is also used by a lot

07:02

of azure functionality a lot of services

07:05

will let you bring your own key for

07:07

example to encrypt a storage account um

07:09

for a database encryption

07:11

when you bring your own key what it's

07:13

actually doing is it's that key is in

07:16

your key vault so you have management of

07:19

the key you can pick when to rotate it

07:22

when to revoke it

07:23

so if you do bring your own key what's

07:25

actually happening is

07:26

it's going to use azure key vault for

07:28

that so hey if i have the need for

07:30

secrets or keys or certificate

07:32

management in azure

07:34

i'm going to use azure keyboard