Exercise - Create a Key Vault and store secrets
Note
This exercise is optional. If you want to complete this exercise, you'll need to create an Azure subscription before you begin. If you don't have an Azure account or you don't want to create one at this time, you can read through the instructions so you understand the information that's being presented.
Note
You need to use a resource group to complete the steps in this exercise. You can use a resource group that you already created, or you can create a new resource group specifically for this exercise. If you choose to create a new resource group, that will make it easier to clean up any resources that you create as you complete the exercise. If you don't have an existing resource group or you want to create a new one specifically for this exercise, you can follow the steps in Use the Azure portal and Azure Resource Manager to manage resource groups to create a resource group by using the Azure portal, or you can follow the steps in Manage Azure resource groups by using Azure CLI to create a resource group by using the the Azure CLI.
Create Key Vaults for your applications
A best practice is to create a separate vault for each deployment environment of each of your applications, such as development, test, and production. You can use a single vault to store secrets for multiple apps and environments, but the impact of an attacker gaining read access to a vault increases with the number of secrets in the vault.
Tip
If you use the same names for secrets across different environments for an application, the only environment-specific configuration you need to change in your app is the vault URL.
Creating a vault requires no initial configuration. Your user identity is automatically granted the full set of secret management permissions. You can start adding secrets immediately. After you have a vault, you can add and manage secrets from any Azure administrative interface, including the Azure portal, the Azure CLI, and Azure PowerShell. When you set up your application to use the vault, you need to assign the correct permissions to it, as described in the next unit.
Create the Key vault and store the secret in it
Given all the trouble the company's been having with application secrets. Management asks you to create a small starter app to set the other developers on the right path. The app needs to demonstrate best practices for managing secrets as simply and securely as possible.
To start, create a vault and store one secret in it.
Create the Key Vault
Key Vault names must be globally unique, so pick a unique name. Vault names must be 3-24 characters long and contain only alphanumeric characters and dashes. Make a note of the vault name you choose, because you need it throughout this exercise.
To create your vault, run the following command in Azure Cloud Shell. Make sure to enter your unique vault name to the --name parameter.
az keyvault create \
--resource-group <your-resource-group-name> \
--location centralus \
--name <your-unique-vault-name>
When it finishes, you see JSON output describing the new vault.
Tip
The command used the pre-created resource group named
Add the secret
Now, add the secret. Our secret is named SecretPassword with a value of reindeer_flotilla. Make sure to replace <your-unique-vault-name> with the vault name you created in the --vault-name parameter.
az keyvault secret set \
--name SecretPassword \
--value reindeer_flotilla \
--vault-name <your-unique-vault-name>
Before you write the code for your app, you first need to learn a bit about how your app is going to authenticate to a vault.