0

I am able to get a connection string for a FileShare I created in a Azure storage account. I can use this in a PowerShell script. However, the connection sting provided by Microsoft contains the access key. I would like to mask this and have the connection string use the Azure Key Vault. How would I do this?

$connectTestResult = Test-NetConnection -ComputerName [FileShare] -Port 445 if ($connectTestResult.TcpTestSucceeded) { # Save the password so the drive will persist on reboot cmd.exe /C "cmdkey /add:[FileShare]" /user:"[user]" /pass:"[password]"" # Mount the drive New-PSDrive -Name Z -PSProvider FileSystem -Root "[FileSharePath]" -Persist } else { Write-Error -Message "Error" }
Nick.Mc
  • 18,304
  • 6
  • 61
  • 91
Bill Donofrio
  • 21
  • 2
  • Could you describe what sort of application you have that is trying to access the file share? There are a number of ways this could be done that really vary (ideally) based on how you're trying to access storage. If this is a persistent connection string, better to store the whole thing as a secret but from what sort of app matters. There's also Key Vault-managed Storage keys, though RBAC permissions are recommended by the service team. – Heath Jul 14 '21 at 22:24
  • $connectTestResult = Test-NetConnection -ComputerName [FileShare] -Port 445 if ($connectTestResult.TcpTestSucceeded) { # Save the password so the drive will persist on reboot cmd.exe /C "cmdkey /add:`[FileShare]`" /user:`"[user]`" /pass:`"[password]`"" # Mount the drive New-PSDrive -Name Z -PSProvider FileSystem -Root "[FileSharePath]" -Persist } else { Write-Error -Message "Error" } – Bill Donofrio Jul 16 '21 at 14:40
  • I am trying to add a secret to the above Powershell command. I should be able to store the username and password in Azure Key Vault and then reference them as variables. I can then add the variables to this command. – Bill Donofrio Jul 16 '21 at 14:42
  • If you already have the connection string, why not just ACL the startup script so that only Admins and SYSTEM can read and execute it? Any event logs that might show it would also require admin privileges. At some point, a user token or password to connect to Key Vault is going to be required with an on-prem machine (Azure VMs can use system identities). Even authenticating SYSTEM against Azure would store the bearer token in the SYSTEM profile, so any admin would have access to it. – Heath Jul 27 '21 at 05:28
  • I guess you would use something like this to get the secret then use it https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-powershell – Nick.Mc Aug 01 '21 at 07:52

1 Answers1

0

No, it is not possible. A cloud service is a VM, it is not an application that can consume connection strings.

If you have a continuous integration server,

Before your app is deployed into the cloud service, run a script that changes the value of the connection string which contains the value that you want to have in it, and after that deploy the app to the cloud. In this way, the connection string can be only visible in your CI server and not in your code.

Referred from this thread

Other possibilities to secure storage account.

  • Making use of Shared Access Signatures (SAS) and using expiry and defining Stored access policies (RBAC) to protect your data can help .
  • One can regenerate storage account keys regularly by defining a managed storage account to keep the storage account secure.
  • Role assignments must be scoped to the level of the storage account or higher to permit a user to allow or disallow Shared Key access for the storage account.
  • One can set access to only particular IP address range that are specific.

Refer this to see how deploy managed storage account.

References:

storage-keys-powershell

Using SAS/RBAC

security-recommendations

kavyaS
  • 8,026
  • 1
  • 7
  • 19