WEBVTT 0:00:02.920000 --> 0:00:07.600000 Let's take a look at a pretty important capability in Azure, which is 0:00:07.600000 --> 0:00:13.340000 Key Vault. Specifically, I want to talk about using the Key Vault API, 0:00:13.340000 --> 0:00:18.660000 so I can integrate Key Vault with my applications. 0:00:18.660000 --> 0:00:21.340000 What we're going to talk about here, pretty straightforward, first of 0:00:21.340000 --> 0:00:25.160000 all, we'll talk about what Azure Key Vault is, very broad terms. 0:00:25.160000 --> 0:00:31.620000 We'll talk about the API for integrating with Azure Key Vault. 0:00:31.620000 --> 0:00:34.780000 Again, that's actually going to be fairly quickly as well, because let's 0:00:34.780000 --> 0:00:40.320000 go ahead and take a look at actually interacting with the Azure Key Vault. 0:00:40.320000 --> 0:00:43.740000 To start out, what I want to do is, I want to go ahead and take a look 0:00:43.740000 --> 0:00:46.360000 at what Key Vault actually is. 0:00:46.360000 --> 0:00:48.460000 We're going to whiteboard this out. 0:00:48.460000 --> 0:00:49.620000 Here's the idea. 0:00:49.620000 --> 0:00:52.260000 I have my application. 0:00:52.260000 --> 0:00:58.260000 I've got some application. 0:00:58.260000 --> 0:01:02.740000 That application is inevitably going to have some sensitive information. 0:01:02.740000 --> 0:01:08.700000 For example, let's say that I've got a storage account over here in Azure. 0:01:08.700000 --> 0:01:17.300000 Let's say that I also have a database that I need to connect up to. 0:01:17.300000 --> 0:01:22.320000 Let's say I've got a MySQL, which will be official for this. 0:01:22.320000 --> 0:01:28.980000 Azure DB for my SQL, and I need to connect to both of these. 0:01:28.980000 --> 0:01:32.520000 Well, inevitably somewhere, I'm going to have a connection string. 0:01:32.520000 --> 0:01:39.780000 Oftentimes, we could have storage connect. 0:01:39.780000 --> 0:01:46.920000 We have DB connect, and somewhere somehow, those are going to be stored 0:01:46.920000 --> 0:01:53.300000 in plain text. Worst case, they could be embedded in the file, or they 0:01:53.300000 --> 0:01:57.280000 could be in a configuration file, associated with the file that's maybe 0:01:57.280000 --> 0:02:01.960000 plain text, or maybe a little bit better than that, you're doing it through 0:02:01.960000 --> 0:02:07.720000 Azure, but it's still at some point accessible information. 0:02:07.720000 --> 0:02:12.100000 What would be really cool is if I could have this third-party secured 0:02:12.100000 --> 0:02:22.880000 system, and I don't know, we'll call it Key Vault. 0:02:22.880000 --> 0:02:40.220000 I could simply store my sensitive information here instead. 0:02:40.220000 --> 0:02:44.020000 Now, instead of the app having that information, the app's going to have 0:02:44.020000 --> 0:02:45.540000 to go whenever it needs. 0:02:45.540000 --> 0:02:49.500000 It's going to have to get that information, but that's fine, because a 0:02:49.500000 --> 0:02:55.920000 few things about Key Vault, first of all, it is encrypted. 0:02:55.920000 --> 0:03:03.500000 It is controlled both by RBAC and by specific access policies, so you 0:03:03.500000 --> 0:03:07.180000 are not getting to that data unless you have the rights to get to it, 0:03:07.180000 --> 0:03:11.360000 and it can be audited as well. 0:03:11.360000 --> 0:03:19.140000 Now, I've got this centralized location for storing this sensitive data, 0:03:19.140000 --> 0:03:24.700000 and I have the kinds of capabilities that you would expect for this. 0:03:24.700000 --> 0:03:32.240000 By the way, another capability here is that it can be stored with an HSM, 0:03:32.240000 --> 0:03:33.900000 hardware security module. 0:03:33.900000 --> 0:03:38.760000 You really have the highest level of security that you're going to find. 0:03:38.760000 --> 0:03:42.880000 Now, what information can actually be stored here? 0:03:42.880000 --> 0:03:47.260000 There's really three different types of information that can be stored 0:03:47.260000 --> 0:03:50.460000 in the Key Vault, and they are the following. 0:03:50.460000 --> 0:03:54.360000 First of all, I can install our store, excuse me, certificates in Key 0:03:54.360000 --> 0:03:58.720000 Vault. In fact, I can actually use Key Vault to generate certificates. 0:03:58.720000 --> 0:04:02.380000 I can also have keys. 0:04:02.380000 --> 0:04:09.600000 Now, these are key files, specific structure key files, and then I have 0:04:09.600000 --> 0:04:16.000000 secrets. Secrets are really just information that has a name, and it's 0:04:16.000000 --> 0:04:17.380000 encrypted, and it's stored. 0:04:17.380000 --> 0:04:21.960000 So, for example, these connection strings here in this example would both 0:04:21.960000 --> 0:04:29.460000 be secrets. Now, in terms of the API, and I'm going to show you, really 0:04:29.460000 --> 0:04:33.620000 not the direct API, I'm going to show you the SDK that's available within 0:04:33.620000 --> 0:04:38.320000 the .NET environment, not surprisingly, if you've seen any of my other 0:04:38.320000 --> 0:04:42.000000 demos, there is, however, an API. 0:04:42.000000 --> 0:04:48.360000 It is a REST API, and what that means is that you can access the sensitive 0:04:48.360000 --> 0:04:53.760000 information that is in your Key Vault through REST API calls. 0:04:53.760000 --> 0:04:55.520000 So, it's universal. 0:04:55.520000 --> 0:04:59.560000 Clearly, of course, you would have to go through the process of authenticating, 0:04:59.560000 --> 0:05:04.280000 of getting the appropriate tokens to get access, making sure that whatever 0:05:04.280000 --> 0:05:10.720000 account you use to get that has the appropriate access policy to get in 0:05:10.720000 --> 0:05:15.380000 and to interact with your Key Vault. 0:05:15.380000 --> 0:05:19.860000 So, that's cool, and in terms of what you can do, well, pretty much what 0:05:19.860000 --> 0:05:20.940000 you would expect with data, right? 0:05:20.940000 --> 0:05:23.760000 I need to be able to, if you want to think about the CRUD operations, 0:05:23.760000 --> 0:05:28.760000 CRUD, I need to be able to create, I need to be able to read out of there, 0:05:28.760000 --> 0:05:33.240000 I need to be able to update sensitive data so as connection strings change, 0:05:33.240000 --> 0:05:37.140000 as they should over time, go in there and update that, I need to be able 0:05:37.140000 --> 0:05:38.080000 to delete these. 0:05:38.080000 --> 0:05:42.900000 So, these are all functions that are standard for any kind of data, sensitive 0:05:42.900000 --> 0:05:47.440000 data is no different, and these are all available within your Key Vault. 0:05:47.440000 --> 0:05:51.640000 And just kind of as an aside, this is something that for me is tremendously 0:05:51.640000 --> 0:05:56.600000 useful. Let's say, for example, that you've got the storage account, and 0:05:56.600000 --> 0:06:04.140000 you've got a number of services, APIs, maybe probably functions wouldn't 0:06:04.140000 --> 0:06:09.560000 be so applicable here, but web applications, and they're all interacting 0:06:09.560000 --> 0:06:11.460000 with this one storage account. 0:06:11.460000 --> 0:06:15.320000 Well, you periodically want to update the keys to the storage account, 0:06:15.320000 --> 0:06:19.260000 because you want to make sure that's standard security practice. 0:06:19.260000 --> 0:06:22.120000 Well, rather than having to go around to all of these different systems 0:06:22.120000 --> 0:06:27.200000 and update the key, if I store the connection string or the key for the 0:06:27.200000 --> 0:06:31.060000 storage account in Key Vault, all I need to do is go and update Key Vault, 0:06:31.060000 --> 0:06:33.860000 and then make sure that all of these systems are getting that data from 0:06:33.860000 --> 0:06:37.100000 Key Vault. And then that way I've got a secure system, but I also have 0:06:37.100000 --> 0:06:39.200000 a system that can be centrally updated. 0:06:39.200000 --> 0:06:44.860000 I use that for a number of things, kind of a growing number of parameters 0:06:44.860000 --> 0:06:47.280000 that I typically use in deployments. 0:06:47.280000 --> 0:06:48.660000 I'm just putting them in Key Vault. 0:06:48.660000 --> 0:06:49.760000 I know it's secure. 0:06:49.760000 --> 0:06:54.820000 I know it's centralized, and it dramatically simplifies the process for 0:06:54.820000 --> 0:07:01.940000 me of interacting with my content and my parameters for a lot of deployments 0:07:01.940000 --> 0:07:05.760000 that I do. All right, now what I want to do is I want to go through and 0:07:05.760000 --> 0:07:11.800000 kind of demonstrate the way that you would implement a Key Vault solution 0:07:11.800000 --> 0:07:15.860000 or implement Key Vault into a solution. 0:07:15.860000 --> 0:07:19.060000 So without further ado, let's take a look. 0:07:19.060000 --> 0:07:25.500000 I have a brand new web application. 0:07:25.500000 --> 0:07:31.400000 This is an ASP.NET, ASP.NET Core, MVC, web application. 0:07:31.400000 --> 0:07:36.020000 It's completely plain out of the box. 0:07:36.020000 --> 0:07:38.960000 And if I run this, I'm not going to run it, but it's going to come up 0:07:38.960000 --> 0:07:43.900000 with that very plain page. 0:07:43.900000 --> 0:07:49.040000 And what I'm going to do here is I could, let's say I have a connection 0:07:49.040000 --> 0:07:55.020000 string. I could go in here and let's say I go into index, and whether 0:07:55.020000 --> 0:08:00.840000 I pulled that connection string out of a configuration file or even worse, 0:08:00.840000 --> 0:08:04.420000 I have it hard-coded, that really is a bad way to store a connection string, 0:08:04.420000 --> 0:08:10.500000 because now I've got my sensitive information and it's in some kind of 0:08:10.500000 --> 0:08:12.620000 plain text format. 0:08:12.620000 --> 0:08:20.160000 Well, what I want to do is I want to go ahead and add some SDKs. 0:08:20.160000 --> 0:08:23.580000 I'm going to add two different SDKs to this application. 0:08:23.580000 --> 0:08:26.380000 And the first one is not a Key Vault. 0:08:26.380000 --> 0:08:31.980000 The first package that I'm adding, this is a NuGet package, right? 0:08:31.980000 --> 0:08:35.540000 Microsoft.Azure.Services .App authentication. 0:08:35.540000 --> 0:08:41.580000 What that's going to do is support a web app authenticating with a service 0:08:41.580000 --> 0:08:45.240000 or with a managed identity, because what I'm going to end up doing is 0:08:45.240000 --> 0:08:53.840000 giving the managed identity the rights to my, to my Key Vault, where I'm 0:08:53.840000 --> 0:08:56.880000 going to store some data, actually already have some data stored. 0:08:56.880000 --> 0:09:00.640000 Now, the other NuGet package, another SDK, if you will, that I want to 0:09:00.640000 --> 0:09:03.920000 add is in fact for Key Vault. 0:09:03.920000 --> 0:09:06.900000 I'm going to add the package for Key Vault. 0:09:06.900000 --> 0:09:12.140000 So that's cool. Now I'm going to go back in and I'm going to add a bit 0:09:12.140000 --> 0:09:16.520000 of code. First of all, I'm going to add some using statements into my 0:09:16.520000 --> 0:09:32.240000 code. And that's just so that I can use these Key Vault within my index. 0:09:32.240000 --> 0:09:37.960000 That properly formatted. 0:09:37.960000 --> 0:09:39.680000 That is the name of Key Vault. 0:09:39.680000 --> 0:09:43.560000 Before I go any farther, let's take a look at that Key Vault. 0:09:43.560000 --> 0:09:48.700000 I have a Key Vault and this is the name of the Key Vault. 0:09:48.700000 --> 0:09:50.720000 And it has keys. 0:09:50.720000 --> 0:09:52.840000 You can see keys, secret certificates. 0:09:52.840000 --> 0:09:56.440000 The only thing that I have added to this is a secret. 0:09:56.440000 --> 0:09:58.220000 And that's what we're going to use for demonstration. 0:09:58.220000 --> 0:10:04.220000 But understand the basic process that I'm using for the secret would be 0:10:04.220000 --> 0:10:07.460000 useful for the Key and the certificate as well. 0:10:07.460000 --> 0:10:12.000000 If I go into this secret, I see I have a version of the secret and I can 0:10:12.000000 --> 0:10:14.380000 actually even show the secret. 0:10:14.380000 --> 0:10:17.340000 So this connection brought to you by Key Vault. 0:10:17.340000 --> 0:10:24.520000 So I've got this information and of course I have a way to do this. 0:10:24.520000 --> 0:10:35.300000 And I'm going to use this to create a web application. 0:10:35.300000 --> 0:10:41.900000 So I'm going to go and start from scratch, create a web application. 0:10:41.900000 --> 0:10:45.720000 So I'm going to go and start from scratch, create a web application, give 0:10:45.720000 --> 0:10:49.280000 it an end that should be unique. 0:10:49.280000 --> 0:10:50.520000 It's going to be code. 0:10:50.520000 --> 0:10:56.960000 We are going to run this in Windows just because that's the last one I 0:10:56.960000 --> 0:11:00.380000 did. Worked fine in Linux as well. 0:11:00.380000 --> 0:11:07.140000 And the Windows plan, let's create a new, no, that's okay. 0:11:07.140000 --> 0:11:11.180000 S1, it's all good. 0:11:11.180000 --> 0:11:15.660000 Next, I don't want any monitoring, reviewing, create. 0:11:15.660000 --> 0:11:20.820000 All right, so as you can see, this is, up, forgot something, runtime stack 0:11:20.820000 --> 0:11:30.900000 .net core 2.2. All right, very nothing behind the scenes. 0:11:30.900000 --> 0:11:34.220000 I have created a web app. 0:11:34.220000 --> 0:11:37.120000 Now what I'm going to do is code up the rest of what I want to code up 0:11:37.120000 --> 0:11:40.460000 to actually use that web app. 0:11:40.460000 --> 0:11:53.780000 All right, so I'm going to put in a try here and go down here and put 0:11:53.780000 --> 0:11:58.760000 in a try catch. This is just exception handling, if not a developer, it's 0:11:58.760000 --> 0:12:09.640000 going to be key vault and was that key vault error exception. 0:12:09.640000 --> 0:12:13.020000 And I'm not actually going to do anything with it. 0:12:13.020000 --> 0:12:16.100000 But if you were doing this for real, it would be a very good idea to actually 0:12:16.100000 --> 0:12:19.920000 make sure that you are doing something with that key vault exception. 0:12:19.920000 --> 0:12:26.320000 All right, now what I'm going to do is first, I'm going to go ahead and 0:12:26.320000 --> 0:12:28.440000 set up a client token. 0:12:28.440000 --> 0:12:32.780000 Okay, now that is from that app authentication. 0:12:32.780000 --> 0:12:38.100000 And I'm just creating a new app authentication token provider. 0:12:38.100000 --> 0:12:48.140000 And then I'm going to go ahead and open up a key vault client. 0:12:48.140000 --> 0:12:51.660000 And this gets a bit more complex. 0:12:51.660000 --> 0:12:57.320000 Let's see here. There we go. 0:12:57.320000 --> 0:12:58.680000 It's entirely possible. 0:12:58.680000 --> 0:13:01.900000 Watch how fast I typed this. 0:13:01.900000 --> 0:13:04.200000 And let's, I'll see. 0:13:04.200000 --> 0:13:06.360000 Clearly, of course, I didn't type that. 0:13:06.360000 --> 0:13:14.520000 But here's what I have, I am creating a new key vault client. 0:13:14.520000 --> 0:13:19.080000 Now I am using remember the SDK, the key vault SDK, I'm creating a new 0:13:19.080000 --> 0:13:25.100000 client. And I'm specifying my authentication callback for it. 0:13:25.100000 --> 0:13:30.760000 And just pulling back a key vault, these are all kind of just very standard 0:13:30.760000 --> 0:13:35.940000 out of the box settings for a key vault, you can of course do more. 0:13:35.940000 --> 0:13:44.200000 And then the really important line here is to retrieve something from 0:13:44.200000 --> 0:13:50.600000 that key vault. And if you blank, you'll miss it. 0:13:50.600000 --> 0:13:56.240000 Okay. And let's see, what did I miss? 0:13:56.240000 --> 0:13:57.260000 I missed something. 0:13:57.260000 --> 0:13:59.180000 Oh, I have no weight. 0:13:59.180000 --> 0:14:00.340000 And that isn't a weight. 0:14:00.340000 --> 0:14:07.140000 I need to convert this to an async. 0:14:07.140000 --> 0:14:08.980000 Async for this action. 0:14:08.980000 --> 0:14:10.680000 There we go. All right. 0:14:10.680000 --> 0:14:12.780000 And so I want to use that client. 0:14:12.780000 --> 0:14:13.720000 And I'm going to get the secret. 0:14:13.720000 --> 0:14:18.760000 Now the secret is going to come from this URL, or URI. 0:14:18.760000 --> 0:14:20.580000 It's not really URL to URI. 0:14:20.580000 --> 0:14:23.760000 All right. And key vault is the name of my key vault up here. 0:14:23.760000 --> 0:14:25.300000 And I just pop that in. 0:14:25.300000 --> 0:14:29.160000 dot vault dot azure.net slash secrets slash connection. 0:14:29.160000 --> 0:14:30.560000 And this is really key. 0:14:30.560000 --> 0:14:32.240000 It makes things really simple, right? 0:14:32.240000 --> 0:14:33.000000 This is a secret. 0:14:33.000000 --> 0:14:34.780000 So of course, it's under secrets. 0:14:34.780000 --> 0:14:38.460000 If it was a key, if it was a certificate, then of course, I would use 0:14:38.460000 --> 0:14:41.100000 a slightly different URI. 0:14:41.100000 --> 0:14:42.840000 And so that pulls back the secret. 0:14:42.840000 --> 0:14:46.840000 And then the next step is pretty simple. 0:14:46.840000 --> 0:14:52.020000 I'm going to take that connection, which did have a very bad value, very 0:14:52.020000 --> 0:14:53.420000 bad way of setting the value. 0:14:53.420000 --> 0:14:58.380000 And I'm going to replace it with the value that I pulled back from that 0:14:58.380000 --> 0:15:06.640000 secret. So now I'm using the API via the dot net SDK to retrieve the data. 0:15:06.640000 --> 0:15:15.640000 Now in addition to retrieving data, I can also set data. 0:15:15.640000 --> 0:15:18.180000 So that's a read operation. 0:15:18.180000 --> 0:15:22.460000 But I can very easily go in and put in a write. 0:15:22.460000 --> 0:15:27.220000 So now instead of get secret async, I'm simply setting secret async. 0:15:27.220000 --> 0:15:31.240000 I'm using the same basic URI. 0:15:31.240000 --> 0:15:34.600000 And I'm setting a secret named secret time. 0:15:34.600000 --> 0:15:36.180000 And then I'm giving it some value. 0:15:36.180000 --> 0:15:39.840000 In this case, it's just the secret time when it's set and where it's set 0:15:39.840000 --> 0:15:42.960000 from. And then I'm going to set the secret time. 0:15:42.960000 --> 0:15:50.240000 And the last thing that I'm going to do here is actually not going to 0:15:50.240000 --> 0:15:53.160000 do that there. I'm going to do this here. 0:15:53.160000 --> 0:15:56.540000 I will change up a little bit just in case we get that error. 0:15:56.540000 --> 0:15:59.400000 So it's not just blank there. 0:15:59.400000 --> 0:16:01.580000 We'll put that in. 0:16:01.580000 --> 0:16:09.660000 So it should be EX. 0:16:09.660000 --> 0:16:19.040000 And finally, what I want to do in either case, I'm going to set something 0:16:19.040000 --> 0:16:19.620000 called View Big. 0:16:19.620000 --> 0:16:23.040000 This is just going to let me pass this value forward so that I can use 0:16:23.040000 --> 0:16:27.300000 it. What's really important here, of course, not what I'm doing at the, 0:16:27.300000 --> 0:16:30.500000 you know, ASP net core, MVC level. 0:16:30.500000 --> 0:16:36.020000 But what I'm doing with lines 22, where I'm going to create a service 0:16:36.020000 --> 0:16:38.840000 token because I'm going to use a managed identity. 0:16:38.840000 --> 0:16:42.000000 I get my key vault client. 0:16:42.000000 --> 0:16:44.220000 And then I'm really, once I have the key vault client, I'm interacting 0:16:44.220000 --> 0:16:48.560000 with it, right? I retrieve data, I set data, right? 0:16:48.560000 --> 0:16:50.740000 And then I check to see if I have errors. 0:16:50.740000 --> 0:16:54.360000 All right. Now the next thing I want to do is actually use this a little 0:16:54.360000 --> 0:17:10.360000 bit. I'm going to go to my index here and place that with this. 0:17:10.360000 --> 0:17:12.260000 So I just, very simple thing. 0:17:12.260000 --> 0:17:16.200000 I'm pulling and showing that secret. 0:17:16.200000 --> 0:17:26.920000 So let's go ahead and save this and then debug it. 0:17:26.920000 --> 0:17:53.620000 So if it comes up correctly. 0:17:53.620000 --> 0:17:59.760000 And now notice what this does is comes up and says, here's your secret 0:17:59.760000 --> 0:18:04.060000 connection. Operation return and invalid status code is forbidden. 0:18:04.060000 --> 0:18:10.080000 That's fine because I don't have a service identity right now. 0:18:10.080000 --> 0:18:17.880000 So what I'm going to do, that was in fact the expected and hoped for outcome. 0:18:17.880000 --> 0:18:23.020000 Okay. Now what I want to do is I'm going to go ahead and I want to publish 0:18:23.020000 --> 0:18:26.220000 this up to Azure. 0:18:26.220000 --> 0:18:40.860000 So the first thing I'm going to do is, I'm going to publish this. 0:18:40.860000 --> 0:18:45.820000 Now that publishes it locally. 0:18:45.820000 --> 0:19:04.200000 And then up here to publish. 0:19:04.200000 --> 0:19:08.640000 Push to my web app and deploy. 0:19:08.640000 --> 0:19:14.460000 Now while that's deploying, so as I don't waste too much of your time, 0:19:14.460000 --> 0:19:20.460000 I'm going to pop over, let that deploy, but I need to make a change to 0:19:20.460000 --> 0:19:29.880000 my web app. I need to go in and first of all, I'm going to do my web app. 0:19:29.880000 --> 0:19:33.240000 As I think about it, I am going to wait for that because I don't want 0:19:33.240000 --> 0:19:36.960000 to try to upload and assign an identity at the same time. 0:19:36.960000 --> 0:19:41.560000 But the good news is, it has finished. 0:19:41.560000 --> 0:19:44.640000 So the deployment finished. 0:19:44.640000 --> 0:19:47.220000 And now I can't actually save this. 0:19:47.220000 --> 0:19:49.720000 So it's going to say, do you really want to do this? 0:19:49.720000 --> 0:19:50.760000 And the answer is yes. 0:19:50.760000 --> 0:19:55.340000 In fact, I do. All right. 0:19:55.340000 --> 0:20:01.180000 So now I have a system identity for this, but that doesn't give this application 0:20:01.180000 --> 0:20:04.660000 rights to Key Vault yet. 0:20:04.660000 --> 0:20:06.280000 So I'm going to go in. 0:20:06.280000 --> 0:20:09.520000 I'm going to pop into Key Vault. 0:20:09.520000 --> 0:20:12.900000 And Key Vault has access policies. 0:20:12.900000 --> 0:20:14.840000 I'm going to go into access policies. 0:20:14.840000 --> 0:20:18.940000 And I'm going to add a new access policy. 0:20:18.940000 --> 0:20:23.880000 I'm going to select a principal. 0:20:23.880000 --> 0:20:28.140000 And that's going to be Iany AZ. 0:20:28.140000 --> 0:20:30.380000 It should come up pretty quickly there. 0:20:30.380000 --> 0:20:34.520000 Oh, well, let's see here, AZ. 0:20:34.520000 --> 0:20:41.560000 I thought that was going to be so easy. 0:20:41.560000 --> 0:20:42.760000 Let's double check. 0:20:42.760000 --> 0:20:45.280000 Oh, it's Iany WA. 0:20:45.280000 --> 0:20:56.500000 That's why. It turns out I can't add a policy for something that doesn't 0:20:56.500000 --> 0:21:02.860000 exist. There we go. 0:21:02.860000 --> 0:21:06.940000 So this is the managed identity for my web app. 0:21:06.940000 --> 0:21:08.900000 I'm going to select that. 0:21:08.900000 --> 0:21:13.320000 And notice, I can set permissions for keys, secrets, and certificates. 0:21:13.320000 --> 0:21:17.020000 And I really want to set this for the lowest level. 0:21:17.020000 --> 0:21:21.920000 But I'm going to have the ability to get to list and also to set because 0:21:21.920000 --> 0:21:25.720000 it wants to update a secret as well. 0:21:25.720000 --> 0:21:29.680000 And then I'm going to go ahead and hit OK. 0:21:29.680000 --> 0:21:34.760000 All right. So now my web app has rights in Key Vault, has the rights that 0:21:34.760000 --> 0:21:36.680000 it should need. I have a web app. 0:21:36.680000 --> 0:21:42.800000 Nowhere in the web app, do I have the actual sensitive information? 0:21:42.800000 --> 0:21:46.460000 You saw if I saved this before I tried to move off of it. 0:21:46.460000 --> 0:21:49.140000 All right. So let's pop in there. 0:21:49.140000 --> 0:21:54.700000 And go in browse. 0:21:54.700000 --> 0:21:58.240000 And here we have the data. 0:21:58.240000 --> 0:21:59.700000 It came through pretty quickly. 0:21:59.700000 --> 0:22:02.660000 And if you look, you can see this connection brought to you by Key Vault, 0:22:02.660000 --> 0:22:10.600000 which if you recall is the data that was in Key Vault. 0:22:10.600000 --> 0:22:18.080000 And that is to go back and take a look at Key Vault because not only did 0:22:18.080000 --> 0:22:24.760000 I retrieve my connection, but I also wrote data back to the server, back 0:22:24.760000 --> 0:22:26.740000 to the Key Vault. 0:22:26.740000 --> 0:22:29.480000 And I want to show it. 0:22:29.480000 --> 0:22:33.160000 I can see the secret time is now the time on the server and the name of 0:22:33.160000 --> 0:22:36.720000 the server that's sent it, which again, it's kind of obviously somewhat 0:22:36.720000 --> 0:22:37.820000 goofy information. 0:22:37.820000 --> 0:22:43.040000 All right. One thing I want to point out, I used sort of goofy information 0:22:43.040000 --> 0:22:46.920000 in terms of both retrieving the data and setting the data. 0:22:46.920000 --> 0:22:48.380000 And I did that on purpose. 0:22:48.380000 --> 0:22:51.360000 Right. This is pretty universal. 0:22:51.360000 --> 0:22:56.260000 Any kind of connection string that you have, it's going to I'm any connection 0:22:56.260000 --> 0:22:58.380000 string I have in anything near production. 0:22:58.380000 --> 0:23:00.040000 I'm storing in Key Vault. 0:23:00.040000 --> 0:23:01.340000 It's as simple as that, right? 0:23:01.340000 --> 0:23:03.640000 Because I can store the data in Key Vault. 0:23:03.640000 --> 0:23:07.860000 I can have extremely tight control over access to it. 0:23:07.860000 --> 0:23:13.100000 I can grant my web apps or any other app that has a service identity, 0:23:13.100000 --> 0:23:14.940000 a service principal or managed identity. 0:23:14.940000 --> 0:23:17.560000 I can grant that the appropriate rights. 0:23:17.560000 --> 0:23:20.800000 Right. And then I've got a really safe system. 0:23:20.800000 --> 0:23:23.720000 Okay. And so, you know, whatever it is, any sensitive data. 0:23:23.720000 --> 0:23:27.740000 And that's why, you know, I initially was going to do an example where 0:23:27.740000 --> 0:23:29.780000 I've got a connection string to a storage account. 0:23:29.780000 --> 0:23:32.440000 And I can pull the connection string from the storage account and then 0:23:32.440000 --> 0:23:35.700000 use it. But that's really about the storage account. 0:23:35.700000 --> 0:23:36.600000 This is about Key Vault. 0:23:36.600000 --> 0:23:41.420000 This is about being able to go in, store your sensitive data, trust that, 0:23:41.420000 --> 0:23:43.860000 control it and audit it. 0:23:43.860000 --> 0:23:47.280000 I definitely recommend beyond any sort of prepping for any kind of exam 0:23:47.280000 --> 0:23:53.700000 that this is a feature of Azure that you absolutely want to take a look