I currently have azure app registrations setup for authentication with Open ID connect using JWT. I have an app secret configured in appsettings.json , however i have read that using a certificate is better. Why is this?
Not one for posting ambiguous or discussion posts but i'm a bit stuck. I have found some Microsoft guides for configuring the certificate by creating a self signed certificate but other than that i can't find any decent documentation about what's involved.
So you wanted to use azure key vault for certificate and secret then probably you have taken a right decision.
As you may know cloud applications and services use cryptographic keys and secrets to help keep information secure.
For highly sensitive data, you should consider additional layers of protection for data. Encrypting data using a separate protection key prior to storage in Key Vault is worthwhile for example.
Azure Key Vault safeguards these keys and secrets. When you use Key Vault, you can encrypt authentication keys, storage account keys, data encryption keys, .pfx files, and passwords by using keys that are protected by hardware security modules.
You can check for more details here
Access Your Key Vaults More securely
You may need to access your key vault more securely because of its data sensitivity learn more about Secure access to a key vault
How secret and Certificate collaborate with azure key vault
Also for key vault secret and certificate you can check here
Azure key vault quick start
Setting up and retrieve a secret from Azure Key Vault using the Azure portal you can quickly start from Microsoft official document for azure key vault
Related
I have a Azure Logic App, which is connecting to the SQL Server Database. Currently I am saving the connection string in configurations section of the logic app.
I am planning to use the azure keyvault and get the connection string from there.
I have gone through the online articles which tells about the keyvault connector. but I am not looking for that.
I want to use the Keyvault secret for my sql server connections in the Azure Logic App.
I have also tried with the SQL GetRows as you can see below but I don't see any connection string textbox, where I can use the GetSecret Action Result
As #Skin mentioned You can use Azure Key Vault's Get Secret action in your case. For this search for Azure Key Vault Connector and select Get secret action.
Now you need to establish a connection to your Key Vault by providing your Vault name and Tenant.
Then select the secret that you want to retrieve
After you run the logic app you can see the value that got stored in your key vault.
In Vault:-
The connection strings are saved as application settings of the Logic App.
Change connection string in configuration
There you can edit the app setting related to your connection string (sql_connectionString in my case) with #Microsoft.KeyVault(SecretUri=<keyvault name>.vault.azure.net/secrets/<name of your secret>) or optionally #Microsoft.KeyVault(SecretUri=<keyvault name>.vault.azure.net/secrets/<name of your secret>/<version>).
Once you save your application settings, you will see a green check and Key vault Reference in the source column of your application setting.
Key vault Reference
I created an Azure Function to load data from Eudonet CRM to my Azure SQL Database. I have two databases :
named Datawarehouse
named Datawarehouse-Dev
Both databases are identical and are in the same server.
When I load data directly to "Datawarehouse" the copy works fine, but when I change the database name to "Datawarehouse-Dev", I receive the following errors :
Index #0 Message: Login failed for user 'AzureFunction'. LineNumber: 65536 Source: Core .Net SqlClient Data Provider Procedure: Error Code:18456
-- Sql server error. If error code <17: => check sql transac code (user error). Else: => software or hardware errors (check availability of database)
Login failed for user 'AzureFunction'.
If anyone has an idea on where the problem could come from I would be very grateful and I also don't understand why there is an authentification error since they're both in the same server and are accessed with the same user/password.
Thanks in advance
Though #adnane already resolved the issue after using the connection string directly into Function application setting instead of storing it into Vault. This approach might compromise the application security because using connection string directly might expose it to unauthorized person.
Azure Key Vault is a good place to keep our application credentials in a secured and centralized manner. Moving the secrets to Key Vault becomes even more important while our Azure solution is growing.
In case, if anyone still looking for the solution by storing the connection string in Azure Key Vault and then using it in the Function, please follow the below steps.
Firstly, open the Azure Key Vault service and from the Settings menu select Access policies. Then select + Add new access policy.
Then choose Select principal and search for the name of the Function App as shown in below example.
Once your principal is selected choose the Secret permissions menu. In this case, we’ll only need to get the secret from the Key Vault (concretely read our connection string). Therefore, check Get permission only and then select OK.
At the end, select Save to store the new functionapp-demo-mw access policy.
ADDING SECRET TO AZURE KEY VAULT
Adding a secret to Azure Key Vault is straightforward. From the Key Vault, Settings menu select Secrets and then select + Generate/Import secret.
For Key Vault secret two values are required – name and the value. In this case we’ve called our secret OrderManagementDbConnectionString and as a value we put our SQL Database connection string. Select Create to save the secret.
By default, the secret is Enabled so it’s ready to use. Once the secret is created, we’ll need to get its URI (a unique location identifying the secret). Go to the Settings menu and select Secrets. We’ll find here our recently added secret (OrderManagementDbConnectionString). Select the secret and we’ll see it’s the only version in the list.
Select the current version of secret and copy its secret identifier. The identifier is an URI with pattern : https://<url_of_the_key_value>/<secret_name>/<secret_version>.
GETTING SECRET FROM KEY VAULT IN AZURE FUNCTION APP
Go back to the Azure Function App (functionapp-demo-mw) and on the Overview tab, select Configuration in Configured featured section.
Well, Select + New application settings. Put a name that describes the new setting (we’ve put OrderManagementConnectionString). At the end of the last year, Microsoft has added an option of sourcing Key Vault secrets directly from App Settings. This simplifies a lot the way how the secrets were used before. So, set the value of the setting to a secret reference in the following format:
#Microsoft.KeyVault(SecretUri=**secret_uri_with_version**)
We just need to replace secret_uri_with_version with the value we’ve previously copied from the secret in Azure Key Vault.
In Azure Function, you’ll just retrieve the value from the application settings and work with it the same way as it was directly a connection string stored in application settings.
// get value from appliction settings
var connectionString = Environment.GetEnvironmentVariable("OrderManagementConnectionString");
// create connection
SqlConnection connection = new SqlConnection(connectionString);
I am using .net and python connectors to connect to Snowflake.
However, I have to either specify user/password to authenticate via Snowflake or via okta.
Is there a way I can do this without specifying password? Basically, if you are running this as a process on server (.net or python) I want dont want to keep password in config files etc.
Prefer to use something like below which uses IWA (Integrated Windows Authentication) but didnt see such option in Snowflake documentation:
https://help.okta.com/en/prod/Content/Topics/Directory/Configuring_Agentless_SSO.htm
You can setup an RSA key pair instead of specifying a username and password. It's pretty straight forward if you follow their documentation.
From their documentation:
Snowflake supports using key pair authentication rather than the
typical username/password authentication. This authentication method
requires a 2048-bit (minimum) RSA key pair. Generate the PEM (Privacy
Enhanced Mail) public-private key pair using OpenSSL. The public key
is assigned to the Snowflake user who will use the Snowflake client.
https://docs.snowflake.com/en/user-guide/python-connector-example.html#using-key-pair-authentication
If you want to use username/password but don't want to store them, I use the Snowflake python library through Databricks and store my credentials in Azure Key Vault so they aren't stored in my code.
I am looking for some RBAC role at subscription level, something like 'Reader' but unlike Reader, it should not allow accessing Key Vault secrets and Azure Storage blob keys. Is there any such role at subscription level?
something like 'Reader' but unlike Reader, it should not allow accessing Key Vault secrets and Azure Storage blob keys.
In your case, the Reader role is suitable.
To access the azure keyvault secret/key/certificate, the user needs to assigned corresponding permissions like get, list, set, delete in Access policies. Without the permissions, he will not be able to access them. But you should note, don't assign the user as the Owner/Contributor/Key Vault Contributor roles(maybe there are other roles, just a tip), because the user with these roles can add himself to the Access policies.
More details about keyvault access control, see this link.
To access the Azure Storage blob keys, the user will need Microsoft.ClassicStorage/storageAccounts/listKeys/action permission which the Reader does not have, so it is also suitable.
Have a test for you with the Reader role:
Storage:
Keyvault:
I am planning to save customer's sensitive information through SQL Server certificate/ (a)symmetric keys. Though data is secure now, certificate and keys are not readable, i wonder where should i put the keys? Is there any best practices? only thing i could think of is to create table only accessible to dbo or dedicated login and save there. Please give me your valuable advices.
Thanks,
Ebe.
hash the password and store the hash. if the user forgets the password send him a new one.
also give him an option to change it.
also think about implementing openId registration so you won't have to worry about logins.
Certificates can be encrypted with the database master key and the database master key can be encrypted with the server master key. The server master key is encrypted using DPAPI with the machine key and/or the account key. This is all explained in the Encryption Hierarchy.
An automated service that needs access to the encrypted data secrets can rely on this encryption hierachy. Data is protected at runtime using normal access protection (access conrrol lists and grant/deny/revoke permissions for SELECT), the encryption is added just to provide accidentall media compromise protection. Accidental media compromise protection ultimately relies on the service account password and/or on the host machine system account security.
If you need stronger protection in case of physicall loss you must use SQL 2008 and rely on the EKM infrastructure (Extensible Key Management), create a master key stored on a physical device. This will add security in case of media compromise because an attack needs physical access to the hardware crypto module that stores the master key.
A process that does not need access to the secrets does not need any of these. The access is obtaines by passwords provided by the client applications in this case, and those passwords are usually obtained from the user itself.
If you're system is of the former type (needs automated access to the secrets and does not ask the current user for an access password to the secrets) then the way to go is use the ecryption hierarchy (database master key, service master key). If the app is of the later type (it asks the user for a password to access the user's own specific secrets) then the proper solution is to have a master assymetric key encrypted with a password provided by the user.
Nowhere, and I must emphasize and repeat, NOWHERE in these schemes is there any room for a secret saved into a file, or a master password saved into a table. That is just a major design #FAIL.
Filesystem. A configuration file for example, under a directory that only the account under which your application runs can read and/or write. That assumes that you trust your data center folks of course.
On the other hand, maybe I'm not getting your question quite right. If you just want to store user passwords on a table, you should hash them (use a salt) using SHA-1 ideally. Never store passwords in clear text, regardless of the DB permissions you're using.