Azure Key Vault

Azure Key Vault

Swarup's photo
Swarup

In this lab you will get an overview of Azure Key Vault and learn how to do the following:

  • Log in to the Azure CLI

  • Create a vault

  • Create a key

  • Apply policy

    Step 1 - Logging In

    Run this command to log in to the Azure account:

    az login -u $username -p $password

    After you log in, you should get a block of JSON with details about your sign-in.

    You can view the Azure account username with this command:

    echo $username

    Step 2 - Setup

    A key vault is a secure, hardened container that contains sensitive small pieces of information like passwords, keys, certificates, and other secrets. We may want to tightly control how these keys are accessed and distributed, rather than have them pasted without discretion in application code and resources. This is what a key vault allows, and it can provide keys conveniently via a uniform resource identifier (URI).

    Azure provides two tiers of key vaults, one that is software-based and another that is hardware. You can learn about these two pricing tiers here. For this scenario, we will just use a software key.

    First we need a resource group.

    Resource group with a name saved to the variable $resource, which was created with this command:

      az group create --name $resource --location eastus

    You will need to register the KeyVault provider, which has already been done in this environment. This is the command for reference:

    az provider register --namespace Microsoft.KeyVault

    Step 3 - Creating a Vault

    To create a key vault, use the az keyvault create command and provide a name, resource group, and location. Note that the name has to be globally unique, so let's generate a random ID to help with that. We can then append that to our key vault name MyKeyVault and save it to a variable kvName:

      randomId=$(cat /dev/urandom | env LC_ALL=C tr -dc 'a-zA-Z0-9' | fold -w 10 | head -n 1)
  kvName="MyKeyVault$randomId"

    Let's create the key vault. Note the preceding output produces a property called vaultUri. We are going to need that to access the key. Let's save it to a variable:

      vaultUri=$(az keyvault create \
      --name $kvName \
      --resource-group "$resource" \
      --location eastus \
      --query "properties.vaultUri" \
      --output tsv)

  echo $vaultUri

    Step 4 - Creating a Key

    Only your Azure account can work with this key vault. Let's create a software-based key called mySuperSecretKey. Azure will generate the key value for you as well:

      az keyvault key create \
      --vault-name $kvName \
      --name mySuperSecretKey \
      --protection software

    Alternatively, if you have an e
    xisting key in a file (here named mysoftwarekey.pem) you can use the import command that follows. Note you have to provide the password for the key, which in this case is hweriyghv35. This command is for reference and not interactive:

      az keyvault key import \
      --vault-name $kvName \
      --name mySuperSecretKeyFromFile \
      --pem-file "./mysoftwarekey.pem" \
      --pem-password "hweriyghv35" \
      --protection software

    Now we concatenate and save the URI to access the key to a variable keyUri:

      keyUri="${vaultUri}keys/mySuperSecretKey"
  echo $keyUri

    To view the secrets in a vault (but not their secret values, of course!) use the list command:

      az keyvault key list --vault-name $kvName

    Step 5 - Setting Policy

    We are not going to create an application, but if you wanted to allow an application to use the key, you would create a policy on the key vault. The spn will accept the application ID (we use $myAppId as the placeholder) and give it permissions to decrypt and sign. Here is a nonexecutable example of of setting a policy for an application:

      az keyvault set-policy \
    --name $vkName \
    --spn $myAppId \
    --key-permissions decrypt sign

    That covers how to create secrets in a key vault!

AzureAzure Key VaultCloud Computing