Reputation: 5090
Storing and retrieving the SQL Admin password for SQL Azure
As I create a SQL Azure database using ARM template - there is a need to provide the master SQL Admin.
I intend to store this password value in Azure Keyvault & have the ARM use just the secret identifier.
In an operational mode, the user/role creating and soring the passowrd would be an Opertaions Manager and the Deployment Engineer should have no idea about the password.
This being the context, is it sufficient to just create/store a [Secret] in Azure Key Vault ? And have no usage of cryptographic keys?
Am I missing anything critical in my approach above?
Upvotes: 1
Views: 2017
Answers (2)
Reputation: 16401
Key Vault help you safeguard cryptographic keys and other secrets used by your applications whenever they are On-Premise or in the cloud. More and more services on Azure are now integrating Azure Key Vault as their secret/key source for things like deployments, data or even disk encryption.
In Azure Resource Manager templates you can provide references to secrets in Azure KeyVault and in the 2.9 Azure SDK you can use the tools available in VS to make this as simple as saving the secret. There are a few steps needed to make this work, but we’ve made it easy for you in this release.
- Create a Key Vault for the secrets you want to use during deployment
- Put secrets into the vault
- Set properties on the Key Vault to allow Azure Resource Manager to retrieve secrets during deployment
- Author a deployment template to reference the secureStrings in the Key Vault
Note also, the user performing the deployment will need Read permissions to the secrets in the vault.
Reference: Key Vault Support in ARM Templates.
Here is a tutorial: Create an Azure Key Vault using an ARM template
It can helps you storing and retrieving the password from Azure Keyvault.
Hope this helps.
Upvotes: 1
Reputation: 15608
You can retrieve it from KeyVault store as shown below:
template.json:
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"name": "[parameters('name')]",
"apiVersion": "2016-10-01",
"location": "[parameters('location')]",
"properties": {
"enabledForDeployment": "[parameters('enabledForDeployment')]",
"enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
"enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]",
"accessPolicies": "[parameters('accessPolicies')]",
"tenantId": "[parameters('tenant')]",
"sku": {
"name": "[parameters('sku')]",
"family": "A"
}
}
}
]
parameters.json:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "ContosoAKV"
},
"location": {
"value": "centralus"
},
"sku": {
"value": "Standard"
},
"accessPolicies": {
"value": []
},
"tenant": {
"value": "XXXXXXXXXXXXXXXXXXXXXXXX"
},
"enabledForDeployment": {
"value": false
},
"enabledForTemplateDeployment": {
"value": false
},
"enabledForDiskEncryption": {
"value": false
}
}
}
Upvotes: 0
Related Questions
- Retrieve password from Azure key vault in Azure Synapse T sql
- Get Azure KeyVault Secrets from the KeyVault to an App Service using ARM Templates
- What is the best practice for creating Azure SQL with ARM template and Key vault
- Accessing secrets in Azure ARM templates
- Using Azure KeyVault for database password in Spring Boot application
- Extract hashed user password in Azure SQL DB
- Using secret from Azure KeyVault in Azure ARM Template
- How to get Azure SQL DB Password for user using powershell
- Storing SQL Database Connection Strings in Azure Key Vault
- Create database account on Azure with specific password using ARM templates