Azure – You can now use a Key Vault extension with your Azure Virtual Machines

This is something which is going to simplify your life: the Key Vault extension for Azure Virtual Machine.

Using this extension you will have simpler access to Azure Key Vault for your applications running on Azure Virtual Machines.

The Key Vault extension supports the following operating systems:

• Windows
• Windows Server 2019
• Windows Server 2016
• Windows Server 2012
• Linux
• Ubuntu 1604
• Ubuntu 1804
• Debian 9
• Suse 15

The extension can only be installed with either an ARM template when deploying the virtual machine or with PowerShell/Azure Cli to deploy it on existing virtual machines.

PowerShell deployment for Windows machines

Don’t forget you can use the Cloud Shell

#Construct the Key Vault settings
$settings = ‘{“secretsManagementSettings”:
     { “pollingIntervalInS”: “‘ + <pollingInterval> +
     ‘”, “certificateStoreName”: “‘ + <certStoreName> +
     ‘”, “certificateStoreLocation”: “‘ + <certStoreLoc> +
     ‘”, “observedCertificates”: [“‘ + <observedCerts> + ‘”] } }’
$extName =  “KeyVaultForWindows“
$extPublisher = “Microsoft.Azure.KeyVault.Edp”
$extType = “KeyVaultForWindows“

#Deploy the extension
Set-AzVmExtension -TypeHandlerVersion “1.0” -ResourceGroupName <resource group of your virtual machine> -Location <Azure region of the virtual machine> -VMName <your virtual machine> -Name $extName -Publisher $extPublisher -Type $extType -SettingString $settings

If you need to deploy it on Virtual Machine scale set

#Construct the Key Vault settings
$settings = ‘{“secretsManagementSettings”:
     { “pollingIntervalInS”: “‘ + <pollingInterval> +
     ‘”, “certificateStoreName”: “‘ + <certStoreName> +
     ‘”, “certificateStoreLocation”: “‘ + <certStoreLoc> +
     ‘”, “observedCertificates”: [“‘ + <observedCerts> + ‘”] } }’
$extName = “KeyVaultForWindows“
$extPublisher = “Microsoft.Azure.KeyVault.Edp”
$extType = “KeyVaultForWindows“

#Add the extension to the scale set
$vmss = Get-AzVmss -ResourceGroupName <resource group of your scale set> -VMScaleSetName <your scale set name>
Add-AzVmssExtension -VirtualMachineScaleSet $vmss  -Name $extName -Publisher $extPublisher -Type $extType -TypeHandlerVersion “1.0” -Setting $settings

#Deplopy the extension
Update-AzVmss -ResourceGroupName <<resource group of your virtual machine>> -VMScaleSetName <your scale set name> -VirtualMachineScaleSet $vmss

PowerShell Deployment for Linux machines

#Construct the Key Vault settings
$settings = ‘{“secretsManagementSettings”:
     { “pollingIntervalInS”: “‘ + <pollingInterval> +
     ‘”, “certificateStoreName”: “‘ + <certStoreName> +
     ‘”, “certificateStoreLocation”: “‘ + <certStoreLoc> +
     ‘”, “observedCertificates”: [“‘ + <observedCerts> + ‘”] } }’
$extName =  “KeyVaultForLinux“
$extPublisher = “Microsoft.Azure.KeyVault.Edp”
$extType = “KeyVaultForLinux“

#Deploy the extension
Set-AzVmExtension -TypeHandlerVersion “1.0” -ResourceGroupName <resource group of your virtual machine> -Location <Azure region of the virtual machine> -VMName <your virtual machine> -Name $extName -Publisher $extPublisher -Type $extType -SettingString $settings

And the same for the scale set deployment

#Construct the Key Vault settings
$settings = ‘{“secretsManagementSettings”:
     { “pollingIntervalInS”: “‘ + <pollingInterval> +
     ‘”, “certificateStoreName”: “‘ + <certStoreName> +
     ‘”, “certificateStoreLocation”: “‘ + <certStoreLoc> +
     ‘”, “observedCertificates”: [“‘ + <observedCerts> + ‘”] } }’
$extName = “KeyVaultForLinux“
$extPublisher = “Microsoft.Azure.KeyVault.Edp”
$extType = “KeyVaultForLinux“

#Add the extension to the scale set
$vmss = Get-AzVmss -ResourceGroupName <resource group of your scale set> -VMScaleSetName <your scale set name>
Add-AzVmssExtension -VirtualMachineScaleSet $vmss  -Name $extName -Publisher $extPublisher -Type $extType -TypeHandlerVersion “1.0” -Setting $settings

#Deplopy the extension
Update-AzVmss -ResourceGroupName <<resource group of your virtual machine>> -VMScaleSetName <your scale set name> -VirtualMachineScaleSet $vmss