Leverage Keyvault to enhance storage Azure storage access Key Management

Many times managing your azure storage account we all need to manage access keys through the following interface, and in most cases we can manage them safely by using the update on the key rotation.

But many times the key to the storage account is accidentally distributed to people, testers, and administrators. Now if you need to manage this storage account more tightly and specify a specific application to access this storage account, you can use Azure Active Directory (AAD) and key Vault (Key Management Library) to enhance this key management

Step one: Generate a new keystore with PowerShell

" Azurechinacloud "     New-azurermresourcegroup-Name kvstoragenew-azurermkeyvault-vaultname kvstorage- Resourcegroupname Kvstorage

Step two: Put the storage access key into the KeyStore

Suppose we get the accesskey here: password123456789

$secValue=convertto-securestring ' password123456789 '-asplaintext-force                                                                                                              Set$secValue 

It is very simple to say that a key has been put into the keystore, and the rest is that you need to authorize the application to use this key.

Step three: Create Azure AD Application

Click on the Active Directory page of the Azure management interface to select the directory used by the current subscription

To create a new Web application

In this app's configuration page we can get the ID of this app, and you can create an app's access key here

With this client ID, we can then authorize the app to access the KeyStore.

Set-azurermkeyvaultaccesspolicy-vaultname Kvstorage-serviceprincipalname d7cb4add-5b31-44cc-9b25-4009d538f58f  -permissionstosecrets Get

Click on "View Endpoints" below the admin interface, where you can get a very important message, that is, the oAuth2.0 of the app to get token endpoint:

At this point you are ready with the following information:

clientid:{your App ID}

clientsecret:{your App key}

OAuth endpoint:https://login.chinacloudapi.cn/{your directory Id}/oauth2/token

With this information, you can use the Fiddler to emulate the accesskey of requesting a keystore through the rest API, because all HTTP requests are, so it's none of your. NET or Java or PHP is okay.

First we get the app access KeyStore's bearer Token via OAuth 2.0 's endpoint, we need to simulate an HTTP form request, so the request body has

grant_type=client_credentials&client_id={your app id}&client_secret={your app key}&resource=https%3a%2f% 2fvault.azure.cn

Note that the + sign in your app key is replaced by the%2b instead of the = number with the%3d substitution/number%2f

For example:

glyo5drztxlyya+s7nxyclozdblmfh/f4kacfkixgh8=

It is:

Glyo5drztxlyya%2bs7nxyclozdblmfh%2ff4kacfkixgh8%3d

Please refer to: https://blogs.msdn.microsoft.com/dsadsi/2013/08/12/ using-fiddler-to-acquire-a-jwt-json-web-token-for-use-with-the-graph-api/

Request the header inside:

Accept:application/json
content-type:application/x-www-form-urlencoded

After clicking Execute, we post an HTTP request to AAD for authentication, and then we can get the token information returned by Fiddler.

With the token information requested by Keyvault, we can retrieve the accesskey of the storage account placed in the KeyStore.

First, we can get the URI of this key through PowerShell.

With this URI and token, we only need to send an HTTP GET request via Fiddler to get the key.

We'll have an HTTP request header:

Accept:application/json
Authorization:bearer {token obtained from previous step}

The requested URL remember to bring api-version information, such as: https://kvstorage.vault.azure.cn/secrets/storage?api-version=2015-06-01

After clicking Execute, we can get the previous accesskey from the results page.

If you also want your storage accesskey to be dynamically generated on a regular basis, you can combine Azure Automation to automatically generate new access keys and write them to the KeyStore, which makes your accesskey more secure.

A detailed approach can be found in the following English-language blog:

http://www.dushyantgill.com/blog/2015/04/26/ say-goodbye-to-key-management-manage-access-to-azure-storage-data-using-azure-ad/

Leverage Keyvault to enhance storage Azure storage access Key Management