Study notes
By default, access to cognitive services resources is restricted by using subscription keys. Management of access to these keys is a primary consideration for security.
You should regenerate keys regularly to protect against the risk of keys being shared with or accessed by unauthorized users. You can regenerate keys by using the visual interface in the Azure portal, or by using theaz cognitiveservices account keys regenerate Azure command-line interface (CLI) command.
Azure Key Vault
Keys and other secrets mut not be kept in configuration files.Always use Azure Key Vault.
Access to the key vault is granted to security principals, which you can think of user identities that are authenticated using Azure AD.
- Administrators assign a security principal to an application (in which case it is known as a service principal) to define a managed identity for the application.
- The application can then use this identity to access the key vault and retrieve a secret to which it has access.
Most common REST interface require token-based authentication.
- You should have a subscription key (initial request)
- Obtain an authentication token (valid 10 minutes)
- Present the token to validate that the caller has been authenticated.
Some Cognitive Services support Azure Active Directory authentication, enabling you to grant access to specific service principals or managed identities for apps and services running in Azure.
Network Security (network access restrictions)
- In Azure portal
- Cognitive service - you have created
- Networking
- Set restrictions
Example:
Secure key access with Azure Key Vault
You can develop applications that consume cognitive services by using a key for authentication.
This means that the application code must be able to obtain the key.
- Store the key in an environment variable or a configuration file where the application is deployed, not good.
- Store the key securely in Azure Key Vault, and provide access to the key through a managed identity(a user account used by the application itself).
Steps:
Create Resource: Key Vault and store Cognitive Service Key1 in it, Name must be Cognitive-Services-Key
Create a Service Principal (we need resource name and subscription Id)
Find its (Service Principal) Object Id (We need Service Principal appId)
Grand access to Service Principal to secret (which is the Key1 of Cognitive service, we need Key Vault name, Service Principal Object Id and possible Resource Group name)
Now we're ready to use the service principal identity in an application,
It can access the secret cognitive services key in your key vault and use it to connect to your cognitive services resource.
Hands-on Secure Service, Login to view
Hands-on Secure Keys with Key Vault, Login to view
References
Secure Cognitive Services - Training | Microsoft Learn
az cognitiveservices | Microsoft Learn
View service principal of a managed identity in the Azure portal - Azure AD - Microsoft Entra | Microsoft Learn
Configure Virtual Networks for Azure Cognitive Services - Azure Cognitive Services | Microsoft Learn
Azure Cognitive Services security - Azure Cognitive Services | Microsoft Learn
az cognitiveservices | Microsoft Learn
View service principal of a managed identity in the Azure portal - Azure AD - Microsoft Entra | Microsoft Learn
Configure Virtual Networks for Azure Cognitive Services - Azure Cognitive Services | Microsoft Learn
Azure Cognitive Services security - Azure Cognitive Services | Microsoft Learn