In preview: Azure Key Vault extension for Arc enabled servers

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Love them or hate them, certificates are an integral part of running applications. Whether you're securing a website with HTTPS or authenticating to another server, you'll always need a way to securely deploy and renew certificates on your servers. This can be difficult to orchestrate at scale, especially if you need to share the same certificate across multiple servers. That's why we're excited to announce the public preview of the Azure Key Vault certificate sync extension for Arc enabled servers!

 

The Azure Key Vault extension simplifies deployment across multiple machines by making Key Vault the central place to keep your certificate up to date. Instead of individually copying the certificate to each machine, the PKI admin just has to upload or generate certificates in a Key Vault and configure which servers are allowed to download them. Then, the server admin deploys the Azure Key Vault extension to their servers--the same extension works for both Azure and Arc enabled servers--and specifies which certificates should be installed on the server, and how frequently the server should check for updates. From there, the extension takes care of the rest. It uses the unique managed identity assigned to every Arc enabled server to authenticate to Azure Key Vault and download the certificates. When it comes time to renew a certificate, the PKI admin only needs to update the copy in Key Vault. The extension will take care of downloading it to each server automatically.

 

akv_flow.png

 

 

Try it out

Ready to try the AKV extension on your servers? Here's what you'll need to get started:

  1. An Arc enabled server running Windows, Ubuntu 16.04/18.04, or SUSE Linux Enterprise Server 15. Don't have an Arc enabled server yet? Learn how to onboard a machine running on-premises or in another cloud.
  2. An Azure Key Vault with at least one certificate in it. The AKV certificate quickstart article can help you get this set up (you can skip the "export certificate" step).
  3. The Azure Connected Machine PowerShell module (Az.ConnectedMachine), which can be installed on your local machine or used in the Azure Portal with Cloud Shell. You can manage Azure Key Vault and the AKV Extension with the Azure CLI module, but in this blog post we'll focus on PowerShell only. 

 

Permissions

With those resources created, the next step is to grant the Arc enabled server access to the certificate. Every Arc enabled server has a system-assigned managed identity associated with it. The Azure Key Vault extension uses this identity when it needs to authenticate with your vault and retrieve the certificate. Every Arc enabled server needs GET and LIST permissions on the secrets in your Key Vault. For larger deployments, you may want to put your Arc enabled server identities in an AAD security group and grant that security group access to the vault instead.

 

You can configure permissions on your vault by going to it in the Azure Portal, clicking Access policies in the navigation pane, and then Add Access Policy. In the Secret permissions drop down, tick the boxes for Get and List. Then, next to Select Principal, click None selected to open the AAD object picker. Search for your Arc enabled server by its name, click it, then click Select. Click Add to finish configuring the Arc enabled server's permissions then click Save to commit the change.

 

If you're using the Azure Key Vault RBAC preview, grant the Arc enabled server the Key Vault Secrets User (preview) role in Access control (IAM) for the vault.

 

Deploy the extension (Windows)

Finally, we just need to deploy the AKV extension to the Arc enabled server to tell it which certificates to sync, how frequently to check for updates, and where to put them on the machine. You'll need to update the script below with your own observed certificate URIs, Arc server resource group name, location, and resource name. To deploy it, you'll need the Az.ConnectedMachine PowerShell module, which can be obtained by running Install-Module Az.ConnectedMachine.

 

 

 

$Settings = @{ secretsManagementSettings = @{ observedCertificates = @( "https://YOURVAULTNAME.vault.azure.net/secrets/YOURCERTIFICATENAME" # Add more here in a comma separated list ) certificateStoreLocation = "LocalMachine" certificateStoreName = "My" pollingIntervalInS = "3600" # every hour } authenticationSettings = @{ # Don't change this line, it's required for Arc enabled servers msiEndpoint = "http://localhost:40342/metadata/identity" } } $ResourceGroup = "ARC_SERVER_RG_NAME" $ArcMachineName = "ARC_SERVER_NAME" $Location = "ARC_SERVER_LOCATION (e.g. eastus2)" New-AzConnectedMachineExtension -ResourceGroupName $ResourceGroup -MachineName $ArcMachineName -Name "KeyVaultForWindows" -Location $Location -Publisher "Microsoft.Azure.KeyVault" -ExtensionType "KeyVaultForWindows" -Setting (ConvertTo-Json $Settings)

 

 

 

Wait for the extension to finish installing, then check the Local Machine certificate store. You should see your certificate! If the extension deployed successfully but you aren't seeing the certificate, double check that the server has GET and LIST access to secrets in the vault.

 

Deploy the extension (Linux)

The extension works almost the same for Linux, except instead of putting the certificate in a certificate store, you'll pick a path on the filesystem to place it. You'll need to update the script below with your own observed certificate URIs, Arc server resource group name, location, and resource name. To deploy it, you'll need the Az.ConnectedMachine PowerShell module, which can be obtained by running Install-Module Az.ConnectedMachine.

 

 

 

$Settings = @{ secretsManagementSettings = @{ observedCertificates = @( "https://YOURVAULTNAME.vault.azure.net/secrets/YOURCERTIFICATENAME" # Add more here, don't forget a comma on the preceding line ) # The cert store location is optional, the default path is shown below # certificateStoreLocation = "/var/lib/waagent/Microsoft.Azure.KeyVault.Store/" pollingIntervalInS = "3600" # every hour } authenticationSettings = @{ msiEndpoint = "http://localhost:40342/metadata/identity" } } $ResourceGroup = "ARC_SERVER_RESOURCE_GROUP_NAME" $ArcMachineName = "ARC_SERVER_NAME" $Location = "ARC_SERVER_LOCATION (e.g. eastus2)" New-AzConnectedMachineExtension -ResourceGroupName $ResourceGroup -MachineName $ArcMachineName -Name "KeyVaultForLinux" -Location $Location -Publisher "Microsoft.Azure.KeyVault" -ExtensionType "KeyVaultForLinux" -Setting (ConvertTo-Json $Settings)

 

 

 

Wait for the extension to finish installing, then check the /var/lib/waagent/Microsoft.Azure.KeyVault.Store/ directory to find your certificate!

 

Learn more

 

Have feedback on the AKV extension? Share it with us on UserVoice!

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.