In the next part of this demo, we are going to create a console application to encrypt and decrypt the data. Authenticating a console application with Azure requires the use of a service principal and an access control policy.
The simplest way to authenticate any cloud-based .NET application is with a Managed Identity (see the previous chapter). However, for the sake of simplicity, this demonstration will use a console application. Authenticating a desktop application with Azure requires the use of a service principal and an access control policy.
We are going to create the service principal and the access control policy using Azure CLI in this example:
- In Azure Cloud Shell, add the following line of code:
az ad sp create-for-rbac -n "http://PacktSP" --sdk-auth
- The outcome will look like the following image:
- Make a note of the clientID and the clientSecret. We are going to use this to authenticate to the Key Vault in the next step and in the final demo on using the Key Vault API.
- Next, we need to create an access policy for your Key Vault that grants permission to your service principal. We will give the service principal get, list, and set permissions for both keys and secrets:
az keyvault set-policy
-n PacktDataEncryptionVault
--spn <clientId-of-your-service-principal>
--secret-permissions delete get list set
--key-permissions create decrypt delete encrypt get list unwrapKey wrapKey
In this part of the demonstration, we created a service principal and created an access policy that granted the permissions to the service principal. In the next section, we are going to create a SymmetricKey, which is used to encrypt and decrypt the file.