Setting keys in Azure Key Vault without PowerShell

azure key vault get secret c#
azure key vault tutorial
azure key vault access policy
azure key vault emulator
azure key vault documentation
azure key vault api
azure key vault on premise
azure key vault powershell

How to set secrets in Azure Key Vault, without using PowerShell. We are using Azure Key Vault to securely store out connection strings and some other application secrets. We are able to add secrets using PowerShell scripts, but I was wondering if there is another way to add keys in Azure KeyVault, preferably using APIs. We actually need to provide a management tool using which application admins can add/modify secrets in the key vault.

You can now add keys and secrets via the Azure Portal without having to use PowerShell.

A primer on protecting keys and secrets in Microsoft Azure, How do I get the key from the azure vault? To run the code in this article in Azure Cloud Shell: Start Cloud Shell. Select the Copy button on a code block to copy the code. Paste the code into the Cloud Shell session by selecting Ctrl + Shift + V on Windows and Linux or by selecting Cmd + Shift + V on macOS. Select Enter to run the code.

This question is quite old thought I'd add a new angle for people coming across it)...

You can now also store secrets using ARM templates, you have been able to for a little while, but it's been largely very difficult to find documentation for (took me some time to find when I first worked it out!), but here is a handy example in the azure quickstart templates:

https://github.com/Azure/azure-quickstart-templates/blob/master/201-key-vault-secret-create/azuredeploy.json

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "keyVaultName": {
      "type": "string",
      "metadata": {
        "description": "Name of the Key Vault"
      }
    },
    "tenantId": {
      "type": "string",
      "metadata": {
        "description": "Tenant Id for the subscription and use assigned access to the vault. Available from the Get-AzureRMSubscription PowerShell cmdlet"
      }
    },
    "accessPolicies": {
      "type": "array",
      "defaultValue": "{}",
      "metadata": {
        "description": "Access policies object {\"tenantId\":\"\",\"objectId\":\"\",\"permissions\":{\"keys\":[\"\"],\"secrets\":[\"\"]}}"
      }
    },
    "vaultSku": {
      "type": "string",
      "defaultValue": "Standard",
      "allowedValues": [
        "Standard",
        "Premium"
      ],
      "metadata": {
        "description": "SKU for the vault"
      }
    },
    "enabledForDeployment": {
      "type": "bool",
      "defaultValue": false,
      "metadata": {
        "description": "Specifies if the vault is enabled for VM or Service Fabric deployment"
      }
    },
    "enabledForTemplateDeployment": {
      "type": "bool",
      "defaultValue": false,
      "metadata": {
        "description": "Specifies if the vault is enabled for ARM template deployment"
      }
    },
    "enableVaultForVolumeEncryption": {
      "type": "bool",
      "defaultValue": false,
      "metadata": {
        "description": "Specifies if the vault is enabled for volume encryption"
      }
    },
    "secretsObject": {
      "type": "secureObject",
      "defaultValue": "{}",
      "metadata": {
        "description": "all secrets {\"secretName\":\"\",\"secretValue\":\"\"} wrapped in a secure object"
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults",
      "name": "[parameters('keyVaultName')]",
      "apiVersion": "2015-06-01",
      "location": "[parameters('location')]",
      "tags": {
        "displayName": "KeyVault"
      },
      "properties": {
        "enabledForDeployment": "[parameters('enabledForDeployment')]",
        "enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
        "enabledForVolumeEncryption": "[parameters('enableVaultForVolumeEncryption')]",
        "tenantId": "[parameters('tenantId')]",
        "accessPolicies": "[parameters('accessPolicies')]",
        "sku": {
          "name": "[parameters('vaultSku')]",
          "family": "A"
        }
      }
    },
    {
      "type": "Microsoft.KeyVault/vaults/secrets",
      "name": "[concat(parameters('keyVaultName'), '/', parameters('secretsObject').secrets[copyIndex()].secretName)]",
      "apiVersion": "2015-06-01",
      "properties": {
        "value": "[parameters('secretsObject').secrets[copyIndex()].secretValue]"
      },
      "dependsOn": [
        "[concat('Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]"
      ],
      "copy": {
        "name": "secretsCopy",
        "count": "[length(parameters('secretsObject').secrets)]"
      }
    }
  ]
}

What is Microsoft Azure Key Vault?, Manage access permissions for Azure Key Vault, keys, and secrets. This article has been updated to use the new Azure PowerShell Az module. Operations in this plane include creating and deleting key vaults, To grant a user read access to Key Vault properties and tags, but not access to data (keys,  To run the code in this article in Azure Cloud Shell: Start Cloud Shell. Select the Copy button on a code block to copy the code. Paste the code into the Cloud Shell session by selecting Ctrl + Shift + V on Windows and Linux or by selecting Cmd + Shift + V on macOS. Select Enter to run the code.

Microsoft do provide a REST API for that. You can check it here.

Below is a PowerShell Script that shows you how to create a key with that API.

Add-Type -Path 'C:\Program Files\Microsoft Azure Active Directory Connect\Microsoft.IdentityModel.Clients.ActiveDirectory.dll'

$tenantID = "<your tenant ID>"
$loginEndpoint = "https://login.windows.net/"

# the common redirect URI and client ID
$redirectURI = New-Object System.Uri ("urn:ietf:wg:oauth:2.0:oob")
$clientID = "1950a258-227b-4e31-a9cf-717495945fc2"

$resource = "https://vault.azure.net"

$authString = $loginEndpoint + $tenantID

$authenticationContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext ($authString, $false)

$promptBehaviour = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto

$userIdentifierType = [Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifierType]::RequiredDisplayableId

$userIdentifier = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier ("<your Azure account>", $userIdentifierType)

$authenticationResult = $authenticationContext.AcquireToken($resource, $clientID, $redirectURI, $promptBehaviour, $userIdentifier); 

# construct authorization header for the REST API.
$authHeader = $authenticationResult.AccessTokenType + " " + $authenticationResult.AccessToken
$headers = @{"Authorization"=$authHeader; "Content-Type"="application/json"}

$key = Invoke-RestMethod -Method POST -Uri "https://<your key vault>.vault.azure.net/keys/<key name>/create?api-version=2015-06-01" -Headers $headers -Body '{"kty": "RSA","attributes": {"enabled": true}}'

I don't know what programing language you are using, so I use PowerShell because it's easy to test. The script is translated from C# code, so it can be easily translated back to C#. If you don't like the prompt behaviour, you can use credential with secured String. For other programing language, you can use the corresponding ADAL. If the ADAL is not available for that programing language, you can use OAuth2.

Secure access to a key vault, Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal You can securely store keys, passwords, certificates, and other secrets. When no longer needed, delete the resource group, which deletes  Manage storage account keys with Key Vault and Azure PowerShell. 09/10/2019; 7 minutes to read; In this article. An Azure storage account uses credentials comprising an account name and a key. The key is autogenerated and serves as a password, rather than an as a cryptographic key. Key Vault manages storage account keys by storing them as Key

Azure Key Vault Developer's Guide, Learn how to use Key Vault to create and maintain keys that access and About certificates · Set and retrieve a certificate from Azure Key Vault using the Azure  Azure Key Vault is basically cheap, secure cloud storage for sensitive information such as keys, passwords, certificates, etc, protected by industry-standard algorithms, key lengths, or even hardware security modules (FIPS 140-2 Level 2 validated HSMs).

Azure Quickstart, Learn how to use the Azure Key Vault Configuration Provider to configure an app Provider to load app configuration values from Azure Key Vault secrets. to Azure Key Vault with Azure AD authentication without credentials stored in the Restart the app using Azure CLI, PowerShell, or the Azure portal. Set and retrieve a secret from Azure Key Vault using Azure portal; Store a secret. To enable an application to retrieve a secret from Key Vault, you must first create the secret and upload it to your vault. Start an Azure PowerShell session and sign in to your Azure account with the following command: Connect-AzAccount

Azure Key Vault documentation, Azure Key Vault is a cloud service that works as a secure secrets store. Azure Key Vault makes it easy to create and control the encryption keys When using Key Vault, application developers no longer need to Providing standard Azure administration options via the portal, Azure CLI and PowerShell. Access permissions for keys, secrets, and certificates are at the vault level. Key Vault access policies don't support granular, object-level permissions like a specific key, secret, or certificate. To set access policies for a key vault, use the Azure portal, the Azure CLI, Azure PowerShell, or the Key Vault Management REST APIs.

Comments
  • Albeit this may not be suitable for a management tool, but you never know.
  • Agree with @Alex KeySmith. We have moved to ARM templates now as well.
  • Is there a SDK available for this?
  • Yes, there is a .NET SDK for Azure Key Vault. See the documentation