Key Vault

Task 1: Create a key vault
In this task, we will create a key vault.

1. Sign in the to the Azure portal and search for Key Vaults.
2. On the Virtual Networks page, click + Add.
3. On the Basics tab, fill out the required information. Discuss the Pricing tier selections, Standard and Premium. Premium supports HSM backed keys. Discuss Soft delete and Retention period.
4. Click Review and Create and then Create.
5. Wait for the new key vault to be created, or move to a key vault that has already been created.

Task 2: Review key vault settings
In this task, we will review key vault settings.

1. In the Portal, navigate to the key vault.
2. Under Settings, click Keys.
3. Click Generate/Import and review the Keys configuration information.
4. Under Settings, click Secrets.
5. Click Generate/Import, review the Secrets configuration information and click Create.
6. View the new Secret and note that keys support versioning.
7. Under Settings, click Certificates
8. Click Generate/Import and review the Certificates configuration information.

Task 3: Configure access policies
Note: To complete this demonstration you will need a non-privileged test user.
In this task, we will configure access policies and test access.

1. Continue in the Portal with your key vault.
2. Under Settings, click Access Policies.
3. Review the Enable access to choices: Azure Virtual Machines for deployment, Azure Resource Manager for template deployment, and Azure Disk Encryption for volume encryption.
4. Review the creator account Key Permissions. Note the Cryptographic operation permissions are not assigned.
5. Review the creator account Secret Permissions. Note the Purge permission.
6. Review the creator account Certificate Permissions.
7. Open the Cloud Shell with the Bash option. You should be signed in as a Global Administrator.
8. Use your key information to verify the secret you created in the previous task displays successfully for this role.

az keyvault secret show --name <secret_name> --vault-name <keyvault_name>'

9.In another browser tab, open the portal, and sign-in as the test user.
10.Open the Cloud Shell with the Bash option.
11.Verify that the secret does not display for the test user. Access is denied.

az keyvault secret show --name <secret_name> --vault-name <keyvault_name>

12.Return to the Global Administrator account in the portal.
13.Add the Key Vault Contributor role to you test user.
14.Try the test user's access. Access is denied.

az keyvault secret show --name <secret_name> --vault-name <keyvault_name>

15.Explain that adding the RBAC role grants access to the Key Vault control plane. It does not grant access to the
date in the Key Vault.
16.Return to your Key Vault and create an access policy.
17.Under Settings, select Access policies and then Add Access Policy.

• Configure from template (optional): Key, Secret, & Certificate Management
• Key permissions: none
• Secret permissions: Get, List
• Certificate permissions: none
• Select principal: select your test user

18.Be sure to Add your new access policy. And to Save your changes.

19.Try the test user's access. The user should now have access and the key should display.

az keyvault secret show --name <secret_name> --vault-name <keyvault_name>

20.As you have time, return to the Secret configuration settings and change Enabled to No. Be sure to save your
changes, then try access the key again.