question

JuergenSwoboda-8053 avatar image
0 Votes"
JuergenSwoboda-8053 asked SamaraSoucy-MSFT commented

Azure DTL - Mounting a file share with credentials stored in a keyvault

Hello,

we have an artifact which mounts a file share from a specific storage account, as described here: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-quick-create-use-windows. That works fine. The bad thing with this approach is, that the storage account key must be stored in cleartext inside the powershell script. To avoid that, I have set up a keyvault with the secrets I want to use. But how can I connect to a keyvault inside an artifact? As far as I know, artifact installation always runs under the "NT_Authority\System" account. Sure, I could do a "Connect-AzAccount", but that Cmdlet needs a credential object aswell. Can I run an artifact under a user principal, which has access to the keyvault? Or are there better ways to do this?

Any help is appreciated.

azure-dtl-artifacts
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SamaraSoucy-MSFT avatar image
0 Votes"
SamaraSoucy-MSFT answered

This solution is a good one- to get the VM access to Key Vault without saving credentials there is one extra step. You can add a User-Assigned Managed Identity to all of your VMs in the DTL instance using the policies. Any existing VMs will need to be restarted for this to be applied to them. In contrast, a regular service principal login would still need credentials.

![112378-add-identity-button.png][2]

From there, you can use Connect-AzAccount -Identity to login to Azure Powershell without credentials via that managed identity. You can give that managed identity access to the required information in Key Vault and apply the file share from there.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JuergenSwoboda-8053 avatar image
0 Votes"
JuergenSwoboda-8053 answered SamaraSoucy-MSFT commented

Hello SamaraSourcy-MSFT,

works like a charm, thank you very much! :)

Just one more question. First, I´ve set up a managed identiy and gave it the "Read" and "List" permission in the keyvault (Vault access policy). But when I first tried out my script, I got the error message "Get-AzKeyVault : 'this.Client.SubscriptionId' cannot be null.".

So I gave the account the "Read" permission at the subscription level. Do I need the "Read" permission on the whole subscription or is there a more restricted permission which I can set?


Kind regards
Juergen

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The first thing to check is whether you set 'Authorized application' app ID when you gave the managed identity access- that setting isn't compatible with managed identity and setting it could cause some access issues.

112821-2021-07-07-22-41-46-principal-microsoft-azure.png


0 Votes 0 ·

Nice to know but I didn´t set an application. Just the secret permissions "Read" and "List" and the user-assigned managed identity principal. I think there was a misunderstanding. It´s working fine now. I just wanted to ask, if the managed identity needs the "Read" permission on the subscription (which, from my understanding means the identity can read all detailed information on it) or is there another permission like "Read-SubscriptionMetadata" to get it more restricted. I hope you get my point.

Kind regards
Juergen

0 Votes 0 ·

I was asking because there have been other instances of this error caused by setting that value and I wanted to rule it out- I'm sorry for the confusion there. If that's not the problem I'll continue looking at what can be done to reduce the permissions- unless I'm incorrect in my understanding of Key Vault, the subscription-level read permissions shouldn't be required.

1 Vote 1 ·
Show more comments