This document discusses several approaches for securely managing secrets in deployments, including using a release orchestrator, ARM templates, accessing secrets directly from Key Vault, and accessing supported services directly. It recommends using a release orchestrator for existing situations, ARM templates to avoid duplicating secrets manually, and directly accessing Key Vault or supported services when possible to allow secrets to be automatically picked up on deployment and rolled more easily. Config builders are also presented as a way to handle secrets for local development and deployments.
2. WONDERING WHO
IS THAT GUY?
HENRY BEEN
Independent Devops & Azure Architect
E: consultancy@henrybeen.nl
T: @henry_been
L: linkedin.com/in/henrybeen
W: henrybeen.nl
4. THE NEED FOR SECRET MANAGEMENT
Develop Build Deploy Operate
Dev Ops
DevOps
5. Secret management goals
No team member needs
production access
Frequently
change secrets
Decouple authentication
from authorization
No secrets in
source control
12. USING RELEASE ORCHESTRATOR
• Secrets are pretty secure
• Easy to start with
• Fits existing situations
• You see and copy secrets
• Secrets visible in portal
• Duplication of secrets
• Cannot roll secrets easily
Pros Cons
13. Prerequisite: Have primary & secondary secrets
1. Change the secret in release orchestrator to secondary secret
2. Release
3. Roll primary secret
4. Change the secret in release orchestrator to primary secret
5. Release
6. Roll secondary secret
Intermezzo: Roll a secret
16. USING ARM TEMPLATES
• No manual copying or
sharing of secrets
• No more manual
duplication of Azure keys
• Secrets visible in portal
• Still cannot roll secrets
easily
Pros Cons
18. HOWTO: Local Development
1. Grant your developer account access to (another) Key Vault
• Best alternative
• Requires your machine to be in the same AD domain
2. Only use Key Vault in Azure (locally use Web.config)
• You have to write code to do this (though pretty straightforward)
3. Manually create a development identity and use that
• However… do not check secrets into source control
20. DIRECTLY ACCESS KEY VAULT
• No manual copying or
sharing of secrets
• No more duplication of
Azure keys
• Secrets no longer visible
in portal
• Changed secrets are
automatically picked up
• Only available on Azure
Web Apps, Azure
Functions and
DataFactory V2
Pros Cons
23. DIRECTLY ACCESS SERVICE
• No more secrets • Only available on Azure
Web Apps, Azure Functions
and DataFactory V2
• Only on supported services
Pros Cons
24. Supported services
• Azure Resource Manager
• Azure Key Vault
• Azure Data Lake
• Azure SQL DB
• Azure Event Hubs
• Azure Service Bus
• Azure Storage
https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/services-support-msi
32. Use your release orchestrator
Manual deployment NEVER EVER EVUHRR
When you deploy only code
Keyvault and ARM templates When you also deploy infra
Application identity / KeyVault When available & possible
Application identity / Oauth resource When available & possible
WHAT TO USE WHEN?
Config builders When available & possible
33. DO TRY THIS AT HOME!
HENRY BEEN
Independent Devops & Azure Architect
E: consultancy@henrybeen.nl
T: @henry_been
L: linkedin.com/in/henrybeen
W: henrybeen.nl