I am new to Azure and trying to understand if there any co-relation between key and secret in azure key vault
i have below question on using key against a secret
Eg:
Secret with db credentials
Represent key for accessing secret
Is this possible in azure key-vault?
Yes, it is possible,
You can store your DB Password in a secret and your DB user in another secret, or even store both in the same secret. At the end key vault save strings.
In Key Vault you must follow the next steps to create a secret:
Open the secret section and go to Generate/Import
insert the Name (Key) and the secret value (value), and then create your secret
After that, you can refer to the name to get the value of the secret
Hope this helps!
Related
I am working on a application which uses Vault.
Now, the vault needs Role_Id and Secret_Id to be delivered in order to fetch value for a key.
Both these role_id and secret_id are kept in environment variable.
I can't figure out how to get/retrieve these role and secret id from HarshiCorp Vault.
I have the UI for vault opened up but I can't figure out how to generate these 2 values.
Anyone can provide the steps will be great!
role_id and secret_id are the credentials leased via Vault AppRole authentication method.
You can follow the examples here adapting to your use case
I have a Function App Hosted in Azure. I access the functions via a Key in the Host Keys that i created , MyKey. This is linked to a secret in the KeyVault via the following format :
#Microsoft.KeyVault(SecretUri=secret_uri_with_version)
Now if the Key inside the function App is renewed, I lose the edited value as above and it is replaced with a random key value .
How can i make it so that if someone renews the key in the function app then the link to the Key Vault is not lost ?
We have a requirement to create RSA key pair using Azure key vault and copy the RSA public key to external system. The requirement is the external system will encrypt the data using public key and internal system will talk to azure key vault and de-crypt the data. I don't have access to Azure key vault yet, so going through the documentation. I have two basic questions:
Is there a way to export the RSA public key in a text format using Azure portal without using API (https://learn.microsoft.com/en-us/rest/api/keyvault/getkey/getkey).
If I don't select 'set activation' or 'set expiration' date while creating the keys, will the key expire? Do they have a default expiration value?
Thanks in advance.
Is there a way to export the RSA public key in a text format using Azure portal without using API
The only way to export the key in the portal is Download Backup, you will get a file like xxxxvault1-testkey-20181227.keybackup, but the key will be encrypted, it could not be used outside the Azure Key Vault system.
If you want to export the key that will not be encrypted, you could use Azure CLI:
az keyvault key show --vault-name 'keyvaultname' --name 'testkey' --version 'e8dfb0f7b7a045b5a1e80442af833270' > C:\Users\joyw\Desktop\output.txt
It will export the key as a file output.txt.
If I don't select 'set activation' or 'set expiration' date while creating the keys, will the key expire? Do they have a default expiration value?
AFAIK, if you don't set expiration date, it will never expire.
In Azure Portal > Key vaults > Secrets, I have secrets with json values (I did not create it). Something like:
...
"SubscriptionId": "XXXXXXX",
"BaseAuthUri": "https://login.microsoftonline.com/XXXXX/oauth/authorize?client_id="&api-version=
...
I would like to add another url value to it. How can I edit the
secrets with Azure portal?
How the value of api-version set?
Thanks
You can only change secret attributes such as expiration date, activation date. You cannot change secret's value programatically or via Azure Portal. If you want to update your secret without creating a new vault (meaning the secret identifier still remains intact) you can create a new version of the existing secret.
If the secret value contains the variables to get authorization code, you don't need api version because the URI you call is the authorization endpoint.
I have uploaded the SSl certificate to keyvault. Now I wanted to upload this certificate to my Cloud service
With this API I am able to access the Cert from keyvault
GET https://{vaultBaseUrl}/secrets/{secret-name}/{secret-version}?api-version={api-version}
But to upload certifcate, I need the password too.
"path": "subscriptions/%sub_Id%/resourceGroups/%rg_Name%/providers/Microsoft.ClassicCompute/domainNames/%cloudService_Name%/servicecertificates/SHA1-%THUMBPRINT%",
"body": {
"thumbprintAlgorithm": "SHA1",
"thumbprint": "%THUMBPRINT%",
"data": "%base64encodedcert%",
"certificateFormat": "pfx",
"password": "password" << this is in plain text I believe
}
How to get the password from keyvault or upload service certificate without password or with secret URI ?
When you need to pass a secure value (like a password) as a parameter during deployment, you can retrieve the value from an Azure Key Vault. You retrieve the value by referencing the key vault and secret in your parameter file. The value is never exposed because you only reference its key vault ID. You do not need to manually enter the value for the secret each time you deploy the resources.
For more details, refer to this documentation. Use Key Vault to pass secure parameter.
Also, check the Azure Key Vault REST API reference for examples.