secure deployments keeping your secrets private · 2. only use key vault in azure (locally use...
TRANSCRIPT
![Page 1: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/1.jpg)
SECURE DEPLOYMENTS KEEPING YOUR
SECRETS PRIVATE
Henry Been
"Locks" (CC BY-NC-ND 2.0) by wolf4max
![Page 2: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/2.jpg)
WONDERING WHO
IS THAT GUY?
HENRY BEEN
Independent Devops & Azure Architect
E: [email protected]: @henry_beenL: linkedin.com/in/henrybeenW: henrybeen.nl
![Page 3: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/3.jpg)
So…WHO DOES DEVOPS?
@henry_been
![Page 4: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/4.jpg)
THE CASE FOR SECRET MANAGEMENT
Develop Build Deploy Operate
Dev Ops
DevOps@henry_been
![Page 5: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/5.jpg)
Secret management goals
No secret sharing or passing
Frequently change secrets
Have no secrets anymore
No secrets insource control
@henry_been
![Page 6: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/6.jpg)
HOW NOT TO DOSECRET MANAGEMENT
@henry_been
![Page 7: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/7.jpg)
1. Let operations deploys
2. Enter manually in the portal
3. Encrypted in source control
4. Use once, obscure https endpoint
HOW NOT TO..
@henry_been
![Page 8: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/8.jpg)
Use once, obscure https endpoint
What is that?
@henry_been
![Page 9: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/9.jpg)
Use once, obscure https endpoint
https://foo.bar/secrets
@henry_been
![Page 10: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/10.jpg)
Use once, obscure https endpoint
Web Application https://foo.bar/secrets
GET@startup Works only once!
Release Orchestrator
Deploy Reset
@henry_been
![Page 11: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/11.jpg)
![Page 12: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/12.jpg)
So…HOW THEN?
@henry_been
![Page 13: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/13.jpg)
![Page 14: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/14.jpg)
Approach 1USING RELEASE ORCHESTRATOR
VSTS
Secrets
Azure Web AppCode
@henry_been
![Page 15: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/15.jpg)
DEMO TIME!USING RELEASE ORCHESTRATOR
![Page 16: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/16.jpg)
USING RELEASE ORCHESTRATOR
• Secrets are pretty secure
• Easy to start with
• Fits existing situations
• You see and copy secrets
• Secrets visible in portal
• Duplication of secrets
• Cannot roll secrets easily
Pros Cons
@henry_been
![Page 17: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/17.jpg)
Prerequisite: Have primary & secondary secrets
1. Change the secret in release orchestrator to secondary secret
2. Release
3. Roll primary secret
4. Change the secret in release orchestrator to primary secret
5. Release
6. Roll secondary secret
Intermezzo: Roll a secret
@henry_been
![Page 18: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/18.jpg)
Approach 2USING ARM TEMPLATES
Azure
Web App
Key Vault
VSTSCode & Infra
@henry_been
![Page 19: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/19.jpg)
DEMO TIME!USING ARM TEMPLATES
![Page 20: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/20.jpg)
USING ARM TEMPLATES
• No manual copying or sharing of secrets
• No more manual duplication of Azure keys
• Secrets visible in portal
• Still cannot roll secrets easily
Pros Cons
@henry_been
![Page 21: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/21.jpg)
Approach 3DIRECTLY FROM KEY VAULT
VSTS
Azure
Web App
Code & Infra
Key Vault
@henry_been
![Page 22: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/22.jpg)
HOWTO: Local Development
1. Grant your developer account access to (another) Key Vault
• Very decent alternative
• Requires your to log in to Visual Studiousing an authorized account
2. Only use Key Vault in Azure (locally use local configuration)
• Default in ASP.NET Core
3. Manually create a development identity and use that
• Downside: shared identity is not really an identity
• However… do not check secrets for that identity into source control@henry_been
![Page 23: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/23.jpg)
DEMO TIME!DIRECTLY ACCESS KEY VAULT
![Page 24: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/24.jpg)
DIRECTLY ACCESS KEY VAULT
• No manual copying or sharing of secrets
• No more duplication of Azure keys
• Secrets no longer visible in portal
• Changed secrets are automatically picked up
• Only on supported services
Pros Cons
@henry_been
![Page 25: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/25.jpg)
Approach 4DIRECTLY ACCESS SERVICE
VSTS
Azure
Web App
Code & Infra
AAD
Other Service
@henry_been
![Page 26: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/26.jpg)
DEMO TIME!DIRECTLY ACCESS SERVICE
![Page 27: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/27.jpg)
DIRECTLY ACCESS SERVICE
• No more secrets Only on supported services
Pros Cons
@henry_been
![Page 28: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/28.jpg)
Supported services
• Azure Resource Manager
• Azure Key Vault
• Azure Data Lake
• Azure SQL DB
• Azure Event Hubs
• Azure Service Bus
• Azure Storage
https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/services-support-msi @henry_been
![Page 29: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/29.jpg)
Use your release orchestrator
Manual deployment NEVER EVER EVUHRR
When you deploy only code
Keyvault and ARM templates When you also deploy infra
Application identity / KeyVault When available & possible
Application identity / Oauth resource When available & possible
WHAT TO USE WHEN?
![Page 30: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/30.jpg)
WHAT IF YOU ARENOT ON THE LATEST
AND GREATEST?
@henry_been
![Page 31: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/31.jpg)
Approach 5KEY VAULT REFERENCE
1. Assign an managed identity
2. Give that identity access to an Key Vault
3. Reference secrets
@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)
@henry_been
![Page 32: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/32.jpg)
Approach 5KEY VAULT REFERENCE
An officially unsupported alternative
@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret)
@henry_been
![Page 33: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/33.jpg)
Approach 6App Configuration
1. Dedicated configuration store
2. Configuration, including secrets
3. Connect using a connection string (location + key)
@henry_been
![Page 34: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/34.jpg)
Approach 6App Configuration
App Configuration
@henry_been
![Page 35: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/35.jpg)
Approach 6App Configuration
Web Application App Configuration
GET@startup
WHERE DO WE STORE THE KEY???
@henry_been
![Page 36: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/36.jpg)
Approach 6App Configuration
WHERE DO WE STORE THE KEY???
YES, IT IS TURTLES ALL THE WAY DOWN…
@henry_been
![Page 37: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/37.jpg)
ONE MORE THING…
Microsoft Security Static Analysis Tools
@henry_been
![Page 38: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/38.jpg)
DO TRY THIS AT HOME!
HENRY BEEN
Independent Devops & Azure Architect
E: [email protected]: @henry_beenL: linkedin.com/in/henrybeenW: henrybeen.nl
![Page 39: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/39.jpg)
Questions?
Now is the time!
@henry_been
![Page 40: SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE · 2. Only use Key Vault in Azure (locally use local configuration) •Default in ASP.NET Core 3. Manually create a development identity](https://reader034.vdocument.in/reader034/viewer/2022042314/5ee31252ad6a402d666d2cc5/html5/thumbnails/40.jpg)