From 18b6e5c352697eed754638d039414b067eeca450 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Th=C3=B6nes?= <34335918+cthoenes@users.noreply.github.com> Date: Fri, 7 Jul 2023 14:33:06 +0200 Subject: [PATCH 1/4] Update solution.md Adding Warning for Guest Configuration PowerShell cannot be run from Azure Cloud Shell. --- .../walkthrough/challenge-5/solution.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md index 12d285f96..f3adcdf46 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md @@ -72,7 +72,12 @@ Find it here [AddKey.zip](https://github.com/microsoft/MicroHack/raw/main/03-Azu ### Create the Machine Configuration as Azure Policy -1. You will need to upload the zip file to a Storage Account and create a SAS with read permissions. +1. You will need to upload the zip file to a Storage Account and create a SAS with read permissions. + + > **Warning** + > The following commands cannot be run from Azure Cloud Shell! Please use a local Powershell. + + > **Note** > You will need at least the *Storage Blob Data Contributor* role to be able to upload the file. @@ -103,7 +108,7 @@ Find it here [AddKey.zip](https://github.com/microsoft/MicroHack/raw/main/03-Azu $sas = New-AzStorageBlobSASToken -Context $ctx -Container $containerName -Blob $fileName -Permission r -ExpiryTime $expiratioNDate -FullUri ``` -2. To assign the Machine Configuration we will use a Azure Policy. To create the Policy refer to the following Powershell Block. The Policy is created at the Tenant Root so that we can assign it to all subscriptions. +3. To assign the Machine Configuration we will use a Azure Policy. To create the Policy refer to the following Powershell Block. The Policy is created at the Tenant Root so that we can assign it to all subscriptions. > **Note** > Depending on your machine configuration, this might need to be executed with local administrative privileges. ```powershell @@ -129,8 +134,8 @@ Find it here [AddKey.zip](https://github.com/microsoft/MicroHack/raw/main/03-Azu # Create new policy from definition file New-AzPolicyDefinition -Name $name -Policy $configurationPolicy.Path -ManagementGroupName $tenantID ``` -3. Now that the policy definition is created you can assign the policy like in Action 1 but add a remediation like in the screenshot below. +4. Now that the policy definition is created you can assign the policy like in Action 1 but add a remediation like in the screenshot below. ![PolicyAssignmentRemediation.png](./img/PolicyAssignmentRemediation.png) -4. It takes some minutes for the Machine Configuration to become compliant. If thats the case you can verify the registry key being created by launching ``` regedit.exe ``` and browse to ``` HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ ``` \ No newline at end of file +5. It takes some minutes for the Machine Configuration to become compliant. If thats the case you can verify the registry key being created by launching ``` regedit.exe ``` and browse to ``` HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ ``` From 456c1b5b15c3772c36aa437285ac216c70e9709c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Th=C3=B6nes?= <34335918+cthoenes@users.noreply.github.com> Date: Fri, 7 Jul 2023 14:54:15 +0200 Subject: [PATCH 2/4] Update solution.md Extend the Warning to include the needed PowerShell Module Install Commands. --- .../walkthrough/challenge-5/solution.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md index f3adcdf46..2133583ab 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md @@ -76,6 +76,11 @@ Find it here [AddKey.zip](https://github.com/microsoft/MicroHack/raw/main/03-Azu > **Warning** > The following commands cannot be run from Azure Cloud Shell! Please use a local Powershell. + > To install the required modules use: + > ```powershell + > Install-Module -Name Az -Repository PSGallery -Force + > Install-Module -Name GuestConfiguration -Repository PSGallery -Force + > ``` > **Note** From 5256a5e64a54290985bf3479561dc052616e17ef Mon Sep 17 00:00:00 2001 From: Nils Bankert Date: Fri, 7 Jul 2023 15:19:31 +0200 Subject: [PATCH 3/4] Challenge 3 changed Added Windows Command for Arc --- .../walkthrough/challenge-3/solution.md | 63 +++++++++++++++++-- 1 file changed, 57 insertions(+), 6 deletions(-) diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md index 06fda623b..8223810d0 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md @@ -31,7 +31,7 @@ Please ensure that you successfully passed [challenge 2](../../Readme.md#challen ![image](./img/4_Create_Secret.png) -### Task 3: Call the secret without providing any credentials +### Task 3 (Linux): Call the secret without providing any credentials 1. Connect via SSH to the Virtual Machine *microhack-arc-servers-lin01*. @@ -41,7 +41,6 @@ Please ensure that you successfully passed [challenge 2](../../Readme.md#challen sudo -i ``` - 3. Install your favorite JSON parser. In this example we will use jq. ``` @@ -50,7 +49,7 @@ apt-get -y install jq 4. Request an access token for the Key Vault using the following command: -``` +```shell ChallengeTokenPath=$(curl -s -D - -H Metadata:true "http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2019-11-01&resource=https%3A%2F%2Fmanagement.azure.com" | grep Www-Authenticate | cut -d "=" -f 2 | tr -d "[:cntrl:]") ChallengeToken=$(cat $ChallengeTokenPath) if [ $? -ne 0 ]; then @@ -60,11 +59,63 @@ else fi ``` -`❗Hint: The above request connects to the Azure Instance Metadata Service to retrieve an access token for the managed identity of your Azure Arc-enabled server. By default, the IMDS is accessible via 169.254.169.254 from Azure VMs. Azure Arc-enabled servers need to use 127.0.0.1 to proxy the request with the Azure Arc agent to Azure.` + > **Note** + > For Windows machines the recommended command is the following + +```powershell + + # First Script to execute: + + Function Get-AzureArcToken { + [cmdletbinding()] + param( + [string]$ResourceURI + ) + # Build up URL + $SafeString = [System.Net.WebUtility]::URLEncode($ResourceURI) + $URI = "http://localhost:40342/metadata/identity/oauth2/token?api-version=2019-11-01&resource={0}" -f $SafeString + # Get Arc API Token + try { + Invoke-WebRequest -UseBasicParsing -Uri $uri -Headers @{ Metadata = "true" } -Verbose:0 + } + catch { + $script:response = $_.Exception.Response + } + + # Extract the path to the challenge token + $tokenpath = $script:response.Headers["WWW-Authenticate"].TrimStart("Basic realm=") + + # Read the token + $token = Get-Content $tokenpath + + # Acquire and return Access Token + Invoke-RestMethod -UseBasicParsing -Uri $uri -Headers @{ Metadata = "true"; Authorization = "Basic $token" } + } + + # Second Script to execute: + + # Get an Azure KeyVault Access Token with new Function + $AccessToken = Get-AzureArcToken -ResourceURI 'https://vault.azure.net' + # Setup Query Attributes + $Query = @{ + # URI of the specific secret we want + Uri = "https://mh-arc-servers-kv2212.vault.azure.net/secrets/test?api-version=7.1" + Method = "Get" + Headers = @{ + Authorization = "Bearer $($AccessToken.access_token)" + } + } + + # Retrieve Secrets + Invoke-RestMethod @Query | Select-Object -ExpandProperty Value | fl * +``` + + +❗Hint: The above request connects to the Azure Instance Metadata Service to retrieve an access token for the managed identity of your Azure Arc-enabled server. By default, the IMDS is accessible via 169.254.169.254 from Azure VMs. Azure Arc-enabled servers need to use 127.0.0.1 to proxy the request with the Azure Arc agent to Azure.` 4. Verify that you received an access token using the following command: -``` +```shell token=$(echo "$AccessToken" | jq -r '.access_token') echo $token ``` @@ -72,7 +123,7 @@ You should see the access token in the output. In addition, the result is saved 5. Now, it's time to call the Azure Key Vault instance to retrieve the secret from the previous task. -``` +```shell curl 'https://mh-arc-servers-kv0815.vault.azure.net/secrets/kv-secret?api-version=2016-10-01' -H "Authorization: Bearer $token" ``` From ce8953c6a388a0dccfe3f808a5531440b0dc52e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Th=C3=B6nes?= <34335918+cthoenes@users.noreply.github.com> Date: Fri, 7 Jul 2023 15:30:45 +0200 Subject: [PATCH 4/4] Change Windows Command Location Fixed the Windows Commands Location Made hints more visible --- .../walkthrough/challenge-3/solution.md | 50 ++++++++++--------- 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md index 8223810d0..7d9dab0c0 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md @@ -60,12 +60,9 @@ fi ``` > **Note** - > For Windows machines the recommended command is the following + > For Windows machines you can use the following command: ```powershell - - # First Script to execute: - Function Get-AzureArcToken { [cmdletbinding()] param( @@ -91,27 +88,11 @@ fi # Acquire and return Access Token Invoke-RestMethod -UseBasicParsing -Uri $uri -Headers @{ Metadata = "true"; Authorization = "Basic $token" } } - - # Second Script to execute: - - # Get an Azure KeyVault Access Token with new Function - $AccessToken = Get-AzureArcToken -ResourceURI 'https://vault.azure.net' - # Setup Query Attributes - $Query = @{ - # URI of the specific secret we want - Uri = "https://mh-arc-servers-kv2212.vault.azure.net/secrets/test?api-version=7.1" - Method = "Get" - Headers = @{ - Authorization = "Bearer $($AccessToken.access_token)" - } - } - - # Retrieve Secrets - Invoke-RestMethod @Query | Select-Object -ExpandProperty Value | fl * ``` -❗Hint: The above request connects to the Azure Instance Metadata Service to retrieve an access token for the managed identity of your Azure Arc-enabled server. By default, the IMDS is accessible via 169.254.169.254 from Azure VMs. Azure Arc-enabled servers need to use 127.0.0.1 to proxy the request with the Azure Arc agent to Azure.` +> **❗Hint:** +> The above request connects to the Azure Instance Metadata Service to retrieve an access token for the managed identity of your Azure Arc-enabled server. By default, the IMDS is accessible via 169.254.169.254 from Azure VMs. Azure Arc-enabled servers need to use 127.0.0.1 to proxy the request with the Azure Arc agent to Azure.` 4. Verify that you received an access token using the following command: @@ -127,10 +108,31 @@ You should see the access token in the output. In addition, the result is saved curl 'https://mh-arc-servers-kv0815.vault.azure.net/secrets/kv-secret?api-version=2016-10-01' -H "Authorization: Bearer $token" ``` -`❗Hint: Please make sure to call your instance of Key Vault and adjust the name in the above command accordingly.` +> **❗Hint:** +> Please make sure to call your instance of Key Vault and adjust the name in the above command accordingly. ![image](./img/5_result_secret.png) + > **Note** + > For Windows machines you can use the following command: + +```powershell + # Get an Azure KeyVault Access Token with new Function + $AccessToken = Get-AzureArcToken -ResourceURI 'https://vault.azure.net' + # Setup Query Attributes + $Query = @{ + # URI of the specific secret we want + Uri = "https://mh-arc-servers-kv2212.vault.azure.net/secrets/test?api-version=7.1" + Method = "Get" + Headers = @{ + Authorization = "Bearer $($AccessToken.access_token)" + } + } + + # Retrieve Secrets + Invoke-RestMethod @Query | Select-Object -ExpandProperty Value | fl * +``` + Congratulations! You retrieved the secret from your Key Vault without providing any credentials. The resulting possibilities are limitless. You can use it for managing certificates or any secret that is necessary to run your on-premises application. -You successfully completed challenge 3! 🚀🚀🚀 \ No newline at end of file +You successfully completed challenge 3! 🚀🚀🚀