In this lab you will get an overview of Azure Key Vault and learn how to do the following:

• Log in to the Azure CLI

• Create a vault

• Create a key

• Apply policy

  Step 1 - Logging In

  Run this command to log in to the Azure account:

  az login -u $username -p $password

  After you log in, you should get a block of JSON with details about your sign-in.

  You can view the Azure account username with this command:

  echo $username

  Step 2 - Setup

  A key vault is a secure, hardened container that contains sensitive small pieces of information like passwords, keys, certificates, and other secrets. We may want to tightly control how these keys are accessed and distributed, rather than have them pasted without discretion in application code and resources. This is what a key vault allows, and it can provide keys conveniently via a uniform resource identifier (URI).

  Azure provides two tiers of key vaults, one that is software-based and another that is hardware. You can learn about these two pricing tiers here. For this scenario, we will just use a software key.

  First we need a resource group.

  Resource group with a name saved to the variable $resource, which was created with this command:

    az group create --name $resource --location eastus
  

  You will need to register the KeyVault provider, which has already been done in this environment. This is the command for reference:

  az provider register --namespace Microsoft.KeyVault

  Step 3 - Creating a Vault

  To create a key vault, use the az keyvault create command and provide a name, resource group, and location. Note that the name has to be globally unique, so let's generate a random ID to help with that. We can then append that to our key vault name MyKeyVault and save it to a variable kvName:

    randomId=$(cat /dev/urandom | env LC_ALL=C tr -dc 'a-zA-Z0-9' | fold -w 10 | head -n 1)
    kvName="MyKeyVault$randomId"
  

  Let's create the key vault. Note the preceding output produces a property called vaultUri. We are going to need that to access the key. Let's save it to a variable:

    vaultUri=$(az keyvault create \
        --name $kvName \
        --resource-group "$resource" \
        --location eastus \
        --query "properties.vaultUri" \
        --output tsv)
  
    echo $vaultUri
  

  Step 4 - Creating a Key

  Only your Azure account can work with this key vault. Let's create a software-based key called mySuperSecretKey. Azure will generate the key value for you as well:

    az keyvault key create \
        --vault-name $kvName \
        --name mySuperSecretKey \
        --protection software
  

  Alternatively, if you have an e
  xisting key in a file (here named mysoftwarekey.pem) you can use the import command that follows. Note you have to provide the password for the key, which in this case is hweriyghv35. This command is for reference and not interactive:

    az keyvault key import \
        --vault-name $kvName \
        --name mySuperSecretKeyFromFile \
        --pem-file "./mysoftwarekey.pem" \
        --pem-password "hweriyghv35" \
        --protection software
  

  Now we concatenate and save the URI to access the key to a variable keyUri:

    keyUri="${vaultUri}keys/mySuperSecretKey"
    echo $keyUri
  

  To view the secrets in a vault (but not their secret values, of course!) use the list command:

    az keyvault key list --vault-name $kvName
  

  Step 5 - Setting Policy

  We are not going to create an application, but if you wanted to allow an application to use the key, you would create a policy on the key vault. The spn will accept the application ID (we use $myAppId as the placeholder) and give it permissions to decrypt and sign. Here is a nonexecutable example of of setting a policy for an application:

    az keyvault set-policy \
      --name $vkName \
      --spn $myAppId \
      --key-permissions decrypt sign
  

  That covers how to create secrets in a key vault!