Hello, Siberians. Welcome to lesson Two points to off model to off this cost stated. Is that receiver one Microsoft Azure Architect Design?
Yeah, the concepts that will be covering in this video.
We'll start out by covering the differences between the management plane and it data plane off Azure Key Vote on Darby. Highlight into you best practices around Lee's privileged access to sensitive keys and secrets.
How don't cover the integration is that Microsoft as buttes between Azure key vote on order service is in azure on even beyond service is in hasher toe order. Microsoft Service is
finally I will talk about what managed identity. Ease the different types off managed identity on how it elves developers who needs to write courts that make use off secret keys and certificates that are starred in azure key Vote.
Let's get into these.
What asked to service tears the standard service here and the Premium service day, and we have to select the option that we want at the time of deployment.
bought off. The service stairs have similar functionalities
with the exception off one men difference
standards Every stairs Support on Lee Software Protected Keys.
Wow, the premium service here, Support bought the software and HSM protected kiss, which means the main advantage for going for the premium service there is not necessarily in terms of functionality bar in temps off compliance.
One of the key concepts to understand about azure key vote It's the separation between the management plane on the data plane.
So this understanding is very critical,
truly enforcing the principal off lease privilege for your key vote resources. What do I mean by this? On the right hand side, I have another key vote resource on under left inside. I have two rows within an organization security administrator on the application developer.
Security Administrator in this case is responsible for proper safekeeping off secret, while the application developer just simply wants to write their cord and write the applications to be able to make use off certain resources that are certain keys or secrets or certificates that may be starting the key vote.
So security administrator may require permission to be able to see the log in for kids secrets and certificate. Who is making calls for seven operations. Tow this different items,
while the application developer just simply needs to your eye or the codes to be ableto access. This items in the key votes
to be able to achieve the separation. What we can do is we can assign permission to the security administrator on the management plane, using row based access control that are, we give permission to the management plane off azure key votes that's in itself does not grant permissions into the data plane
or into the items that I start within the key vote. So that's great.
And then we can give the court that the application developers creating or wherever they run in the code we can give that access
into the data plane using something called access policy. That's our data. Plane access is controlled using access policy.
Let's talk about I just service's support that are negatively built in with azure key votes.
Let's start by talking about keys
so their sudden service is in Asia that I encrypted at rest
on dhe, the encryption key that they used by default on Microsoft manage Keys and Microsoft gives us,
in some cases the option to be able to use customer managed keys on. That is where your key vote comes in because for the service is that you can see on the screen. There's integration with azure key votes so that the key is that the years can be stored in a jockey vote
on dhe. The keys can be managed by the customer. So, for example, and I just average account
by default. It's encrypted
with makes off managed keys. What we can do is we can go ahead and just select a single option to switch that over to customer manage G, specify our as your give out on then give the storage account service permission to be able to retrieve the encryption key for Maja keyboard,
and that is managed by the customer. In this case,
the same goes for the other service is that you see on the screen now with something like a job disc encryption, which uses a bit locker if you're using windows and uses land crypt. If you're using Lennox, the keys for for the encryption can also be start directly into azure key vote.
Let's talk about secrets.
So there's also opportunity to be able to use customer manage secrets in this situation. So, for example, I sure showed us light earlier where whenever you're deploying the veteran machine. We can supply an administrative passwords that virtual mission would be using by simply passing
a key vote reference into a primate. A foul in azure ham template
on the same goes for the other cases that you see on the screen. So costume I can supply admin password for a sequel databases that it creates directly via azure key vote costume. I can supply secrets into azure. Did a factory scopes and customers can supply secret into as your community service is containers
when it comes to certificates
as your key votes supports. Set in service is to be able to retrieve certificates directly from azure key vote, and that is the case that you're seeing here. So service is like a jury. AP Management CDN Application Get way a. CZ your Web as your functions and as your community service is, containers
retrieved the certificates from azure key votes. So let's talk about azure key vote and manage service identity. So this is one of those topics I could have covered on the attractive directory.
I think that one of the most popular use cases off managed service identities, integration without your key vote, which is why I'm covering it in this section.
So take a situation, for example,
where I have an azure key vote
with my key secrets and suffocate in it.
And I have set in resources in Hodulik agile function as your virtual machine eyes your Web that Austin my coat on my court needs to be able to retrieve said in secret within the key vote.
The old way to go about that is our goto as your active directory, which is what I Jackie, what's trust and uses
on our create a service principle, which we have, um, Heidi on the key.
How then referenced the idea and the key in my coat,
which my code can then use the Heidi and the key to authenticate it against Azure active directory.
And once we not indicated skull, transform that into a talking, and then the talkin can be used to get access to the value off. The sacred or the key are the certificates that start in as your key vote, and that will be controlled van access policy.
So that's the way that that will have operated before we have managed service identity.
But what does that look like with managed service identity? Let's have a look.
So the same scenario. But in this case, what happens is my code is still running on Elijah Service provider and creating this service principle. I can simply associate
a managed identity with the service that my code is running him.
So what is allows me to do is that my court, when have I need to access that item in key votes, can simply make a local meta data call,
which will audit automatically authentic it against a joy. Haiti. On dhe, my court ends up getting to talk him, which can then be used. Toa access the item in the key votes. So you may be thinking, What's the difference between the differences that saves me from having to create a service principle on referencing
that service principle
within my coat on? Also, I have to manage the life cycle of the service principle. In this case, this is managed for me because I can simply associate on identity to my service where my court is running in and I can give the service permission to set an attempted in the key vote. So let's talk about the difference between system assigned
vessel issues. Assigned managed identity, decided types, off managed identities
that we have in Hazzard.
So take a situation where I have my code running across multiple resources as you can see on the screen.
If I'm gonna be using system assigned managed identity, there's more work to do.
So the 1st 1 on each designed needs toe associate system assigned. Manage identity, tow each resource where my quarters running on
Andi out, then needs to grant each system Assigned managed identity permissions is an access policies to the information and the key votes. This has to be done individually.
My coat can then make local meta data call to retrieve the talkin,
which can then be used to access the information in azure key vote.
In this scenario, what I've ended up doing is have ended abusing two system assigned managed identities onto access policies for the permissions. Now, if I let's they have 10 vessel sees,
that means I'll need 10 system assigned managed identities on 10 access policies to grant permission.
Now let's compare that against user assign managed identity.
So in this scenario, are simply after creates one user assign managed identity.
I can then associates that user assigned managed identity with my resources that are run in my court.
I can also simply give dishes assigned managed identity permission is an access policy into the information in the key votes.
It's the same scenario off my code makes a local meta data call to restrict talking,
which can then be used to access the information within the key votes.
But in this case, I've used a single user assigned managed identity on a single access policy, which means less management. Walk for me to do so you can see that use their sign, manage identity skills. Well, when you're talking about a scenario like this, let's do a quick review of what we've covered so far
with this cost an overview off azure key votes.
We also covered what a secret is, what keys and what its certificate is. As fast as your key vote is concerned,
we looked at the differences between the management plane on the data plain enough jerky vote on out that helps us to enforce the principal off this privilege.
We've done a view off Jules Service's integration that as your keyboard supports
and finally we've looked at azure key vote on managed identity