Posts are in reverse order. The solution at the top. Introduction at the bottom 😉
ACS-Engine generates ARM Templates for setting up docker enabled clusters. Those ARM Templates contain sensitive information which can be abused when ending up in the wrong hands.
The Azure service KeyVault can be used to save the sensitive information and reference them from the template. The references would be useful to the Azure Resource Manager though wouldn’t provide the privileges for any other user to gain the information.
Storing the data in the KeyVault
Follow script to:
- Create a KeyVault.
- Store Password and Certificates in the KeyVault.
Updating ARM Template to reference keyvault secrets
Follow instructions on the script.
After updating all fields your azuredeploy.parameters.json should go from:
The differences can best be seen using a diff tool. [How to in VS Code]
Introduction to ARM
ARM Templates provide a simple solution to regenerate a whole infrastructure on the Azure Cloud. For a company, this means that they have an automatable, quickly reproducible infrastructures, that will work each time. ✌
Though that said, we need to keep in mind that the ARM Templates will require sensitive data like certificates, azure active directory creds (clientID, clientSecret) and other information needed for the infrastructure setup. To solve this problem Azure provides the KeyVault service, in which you can store the sensitive data and refer them from the ARM Templates.
Sensitive data in ACS Engine generated Templates
The templates generated from
acs-engine generate command contain the sensitive information listed below:
These data will be present in the file
azuredeploy.parameters.json. The certificates and keys will be generated in the same folder.
To securely store the
azuredeploy.parameters.json file in a repository we need to store this information in the KeyVault and refer them from the templates.