diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md index 06fda623b..7d9dab0c0 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md @@ -31,7 +31,7 @@ Please ensure that you successfully passed [challenge 2](../../Readme.md#challen ![image](./img/4_Create_Secret.png) -### Task 3: Call the secret without providing any credentials +### Task 3 (Linux): Call the secret without providing any credentials 1. Connect via SSH to the Virtual Machine *microhack-arc-servers-lin01*. @@ -41,7 +41,6 @@ Please ensure that you successfully passed [challenge 2](../../Readme.md#challen sudo -i ``` - 3. Install your favorite JSON parser. In this example we will use jq. ``` @@ -50,7 +49,7 @@ apt-get -y install jq 4. Request an access token for the Key Vault using the following command: -``` +```shell ChallengeTokenPath=$(curl -s -D - -H Metadata:true "http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2019-11-01&resource=https%3A%2F%2Fmanagement.azure.com" | grep Www-Authenticate | cut -d "=" -f 2 | tr -d "[:cntrl:]") ChallengeToken=$(cat $ChallengeTokenPath) if [ $? -ne 0 ]; then @@ -60,11 +59,44 @@ else fi ``` -`โ—Hint: The above request connects to the Azure Instance Metadata Service to retrieve an access token for the managed identity of your Azure Arc-enabled server. By default, the IMDS is accessible via 169.254.169.254 from Azure VMs. Azure Arc-enabled servers need to use 127.0.0.1 to proxy the request with the Azure Arc agent to Azure.` + > **Note** + > For Windows machines you can use the following command: + +```powershell + Function Get-AzureArcToken { + [cmdletbinding()] + param( + [string]$ResourceURI + ) + # Build up URL + $SafeString = [System.Net.WebUtility]::URLEncode($ResourceURI) + $URI = "http://localhost:40342/metadata/identity/oauth2/token?api-version=2019-11-01&resource={0}" -f $SafeString + # Get Arc API Token + try { + Invoke-WebRequest -UseBasicParsing -Uri $uri -Headers @{ Metadata = "true" } -Verbose:0 + } + catch { + $script:response = $_.Exception.Response + } + + # Extract the path to the challenge token + $tokenpath = $script:response.Headers["WWW-Authenticate"].TrimStart("Basic realm=") + + # Read the token + $token = Get-Content $tokenpath + + # Acquire and return Access Token + Invoke-RestMethod -UseBasicParsing -Uri $uri -Headers @{ Metadata = "true"; Authorization = "Basic $token" } + } +``` + + +> **โ—Hint:** +> The above request connects to the Azure Instance Metadata Service to retrieve an access token for the managed identity of your Azure Arc-enabled server. By default, the IMDS is accessible via 169.254.169.254 from Azure VMs. Azure Arc-enabled servers need to use 127.0.0.1 to proxy the request with the Azure Arc agent to Azure.` 4. Verify that you received an access token using the following command: -``` +```shell token=$(echo "$AccessToken" | jq -r '.access_token') echo $token ``` @@ -72,14 +104,35 @@ You should see the access token in the output. In addition, the result is saved 5. Now, it's time to call the Azure Key Vault instance to retrieve the secret from the previous task. -``` +```shell curl 'https://mh-arc-servers-kv0815.vault.azure.net/secrets/kv-secret?api-version=2016-10-01' -H "Authorization: Bearer $token" ``` -`โ—Hint: Please make sure to call your instance of Key Vault and adjust the name in the above command accordingly.` +> **โ—Hint:** +> Please make sure to call your instance of Key Vault and adjust the name in the above command accordingly. ![image](./img/5_result_secret.png) + > **Note** + > For Windows machines you can use the following command: + +```powershell + # Get an Azure KeyVault Access Token with new Function + $AccessToken = Get-AzureArcToken -ResourceURI 'https://vault.azure.net' + # Setup Query Attributes + $Query = @{ + # URI of the specific secret we want + Uri = "https://mh-arc-servers-kv2212.vault.azure.net/secrets/test?api-version=7.1" + Method = "Get" + Headers = @{ + Authorization = "Bearer $($AccessToken.access_token)" + } + } + + # Retrieve Secrets + Invoke-RestMethod @Query | Select-Object -ExpandProperty Value | fl * +``` + Congratulations! You retrieved the secret from your Key Vault without providing any credentials. The resulting possibilities are limitless. You can use it for managing certificates or any secret that is necessary to run your on-premises application. -You successfully completed challenge 3! ๐Ÿš€๐Ÿš€๐Ÿš€ \ No newline at end of file +You successfully completed challenge 3! ๐Ÿš€๐Ÿš€๐Ÿš€ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md index 12d285f96..2133583ab 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md @@ -72,7 +72,17 @@ Find it here [AddKey.zip](https://github.com/microsoft/MicroHack/raw/main/03-Azu ### Create the Machine Configuration as Azure Policy -1. You will need to upload the zip file to a Storage Account and create a SAS with read permissions. +1. You will need to upload the zip file to a Storage Account and create a SAS with read permissions. + + > **Warning** + > The following commands cannot be run from Azure Cloud Shell! Please use a local Powershell. + > To install the required modules use: + > ```powershell + > Install-Module -Name Az -Repository PSGallery -Force + > Install-Module -Name GuestConfiguration -Repository PSGallery -Force + > ``` + + > **Note** > You will need at least the *Storage Blob Data Contributor* role to be able to upload the file. @@ -103,7 +113,7 @@ Find it here [AddKey.zip](https://github.com/microsoft/MicroHack/raw/main/03-Azu $sas = New-AzStorageBlobSASToken -Context $ctx -Container $containerName -Blob $fileName -Permission r -ExpiryTime $expiratioNDate -FullUri ``` -2. To assign the Machine Configuration we will use a Azure Policy. To create the Policy refer to the following Powershell Block. The Policy is created at the Tenant Root so that we can assign it to all subscriptions. +3. To assign the Machine Configuration we will use a Azure Policy. To create the Policy refer to the following Powershell Block. The Policy is created at the Tenant Root so that we can assign it to all subscriptions. > **Note** > Depending on your machine configuration, this might need to be executed with local administrative privileges. ```powershell @@ -129,8 +139,8 @@ Find it here [AddKey.zip](https://github.com/microsoft/MicroHack/raw/main/03-Azu # Create new policy from definition file New-AzPolicyDefinition -Name $name -Policy $configurationPolicy.Path -ManagementGroupName $tenantID ``` -3. Now that the policy definition is created you can assign the policy like in Action 1 but add a remediation like in the screenshot below. +4. Now that the policy definition is created you can assign the policy like in Action 1 but add a remediation like in the screenshot below. ![PolicyAssignmentRemediation.png](./img/PolicyAssignmentRemediation.png) -4. It takes some minutes for the Machine Configuration to become compliant. If thats the case you can verify the registry key being created by launching ``` regedit.exe ``` and browse to ``` HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ ``` \ No newline at end of file +5. It takes some minutes for the Machine Configuration to become compliant. If thats the case you can verify the registry key being created by launching ``` regedit.exe ``` and browse to ``` HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ ```