Lab 16 - Using Azure Key Vault for Managed Identities

Note - This lab requires an Azure Pass. Please see lab 00 for directions.

Lab scenario

When you use managed identities for Azure resources, your code can get access tokens to authenticate to resources that support Microsoft Entra authentication.  However, not all Azure services support Microsoft Entra authentication. To use managed identities for Azure resources with those services, store the service credentials in Azure Key Vault, and use the managed identity to access Key Vault to retrieve the credentials.

Estimated time: 20 minutes

Exercise 1 - Use Azure Key Vault to manage Virtual Machine identities

Task 1 - Create a Windows Virtual Machine

Browse to the https://portal.azure.com
Select + Create a resource.
Type Windows 11 in Search the Marketplace search bar.
Select Windows 11 and from the plan dropdown choose Windows 11 Enterprise, version 21H2. Then choose Create.
You will have to create an administrator username and password for the VM on the basics tab.
On the Management tab, check the box to Enable system assigned managed identity.
Go through the rest of the experience of creating a virtual machine.
Select Create.

Task 2 - Create a Key Vault

Sign in to the https://portal.azure.com using a Global administrator account.
At the top of the left navigation bar, select Create a resource
In the Search the Marketplace box type in Key Vault.
Select Key Vault from the results.
Select Create.
Fill out all required information as shown below. Make sure that you choose the subscription that you’re using for this lab. Note The Key vault name must be unique. Look for a green checkmark to the right of the field.

Resource group - sc300KeyVaultrg
Key vault name - anyuniquevalue
On the Access Configuration page, select the Vault Access Policy radio button.
1. Select Review + create.

Select Create.

Task 3 - Create a secret

Navigate to your newly created Key Vault.
Select Secrets.
Select + Generate/Import.
In the Create a secret screen, from Upload options leave Manual selected.
Enter a name and value for the secret. The value can be anything you want.
Leave the activation date and expiration date clear, and leave Enabled as Yes.
Select Create to create the secret.

Task 4 - Grant access to Key Vault

Navigate to your newly created Key Vault
Select Access Policies from the menu on the left side.
Select + Create.
In the Add access policy section, under Configure from template (optional), choose Secret Management from the pull-down menu.
For Select Principal, choose None selected to open the list of principals to select. In the search field enter the name of the VM you created in task 2. Select the VM in the result list and choose Select.
Select Add.
Select Save.

Task 5 - Access data with Key Vault secret with PowerShell

In the lab virtual machine, open PowerShell.

In PowerShell, invoke the web request on the tenant to get the token for the local host in the specific port for the VM.

 $Response = Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -Method GET -Headers @{Metadata="true"}

Next, extract the access token from the response.
```
 $KeyVaultToken = $Response.access_token
```
Use PowerShell’s Invoke-WebRequest command to retrieve the secret you created earlier in the Key Vault, passing the access token in the Authorization header. You’ll need the URL of your Key Vault, which is in the Essentials section of the Overview page of the Key Vault. Reminder - URI for Key Vault is on the Overview tab.
```
 Invoke-RestMethod -Uri https://<your-key-vault-URI>/secrets/<secret-name>?api-version=2016-10-01 -Method GET -Headers @{Authorization="Bearer $KeyVaultToken"}
```

You should receive a response that looks like the following:

 'My Secret' https://mi-lab-vault.vault.azure.net/secrets/mi-test/50644e90b13249b584c44b9f712f2e51 @{enabled=True; created=16…

This secret can be used to authenticate to services that require a name and password.