I'm attempting to generate 2 azurerm_key_vault_key: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key
I need both of them to have the same value(to be the same key exactly but in different keyvault). Is it possible to achieve that? I can't find anyway to explicitly define the key's value so I could generate it beforehand. Is that possible to have 2 keys like that?
You need to have 2 Keys in different Azure Key Vaults with same values.
Unfortunately it is not possible to import Key in Azure Key Vault with terraform, but you can use REST call to import Key into Azure Key Vault.
You can generate Keys beforehand and import it into both Azure KeyVaults.
https://learn.microsoft.com/en-us/rest/api/keyvault/importkey/importkey
I created Key Import feature request in Azure Terraform provider, please vote.
https://github.com/terraform-providers/terraform-provider-azurerm/issues/10301
Related
I am trying store secrets in azure vault. I used azure sdk apis and I can successfully store/retrieve using those. I wanted to know if it's possible to categorise/group set of secrets under same tag and store them in some path.
I want to group some secrets used by one service, store them in one storage path. The same way for other services is separate storage paths. I couldn't find any way of doing that. Is that possible in azure vault?
In short: no, this is not possible.
Also: you cannot get secrets and their values in a list. If you want to get a list, you'll only get a SecretItem array and you have to call GetSecret on each secret you want to get the actual value for.
You could, however, implement something like this yourself by defining a template for the name of the secret that incorporates the name of the thing you would like to group on. Something like this:
$"{serviceName}-secrets-{secretName}"
This way, you can filter the list to only hold the secrets for the service you want to get them for and get their values.
While developing an ARM template to deploy multiple app services and want to use the key vault to host multiple secret, and we need to include 110 references in the template.
While doing a POC, there is an error message:
The deployment has specified too many Key Vault parameter references.
The maximum of Key Vault parameter references is '30'
Is it possible to go beyond 30?
Your first option should be to consider why you need so many secrets and how you can come up with a better strategy.
Failing that, on the quick and dirty, you can wrap multiple secrets in the a string.
E.g.:
MySecret: value1|value2|value3|value4|value5
They you can use the ARM Template functions to pull out the value you need.
Look in to the array and split functions.
Hopefully you can keep related secrets together and organise them neatly.
When I reference more than 30 keys from my global Key Vault in ARM template parameter file, then I get the following error in my deployments.
The deployment has specified too many KeyVault parameter references. The maximum of KeyVault parameter references is '30'.
Please help me how to override this limit or what is the alternative to reference more than 30 secrets/keys from Key Vault?
Just create a nested deployment that will reference 30 more secrets and return those as output into the main one, that way you can work around that restriction
One alternative is to store multiple values in a single secret as JSON. You can load that single secret from key vault and then use the json() template function to convert it into an object. Pass the secret to a linked template as a string, then use the json function in that linked template.
This limit has been increased to 256, which is currently the max number of parameters allowed in a template. See: https://github.com/bmoore-msft/AzureRM-Samples/blob/master/keyvault-max-references/azuredeploy.json for a sample.
I need a way to store hierarchical data in Azure Key Vaults so that I have a structure similar to:
AppName
/Prod
/Data
/Test
/Data
AppName2
/Prod
/Data
...
As far as I can tell I can only store a flat data structure. I am looking to be able to store data similar to Vault by HashiCorp which allows hierarchies.
For instance, in Vault by HashiCorp, I can get data using a 'path': "app/test/TestConnection" and I get the value at the endpoint of the path: TestConnection.
Any suggestion for alternatives would be fine or instruction on how to do what I need to do with Key Vault.
Thanks
Update
I tried some of the suggestions: MySettings--SomeSection--SecretThing, Multiple Vaults and neither works in the manner I need as described above. Not faulting the input but what I want to do just is not available in Key Vault.
#juunas Turns out that your suggestion may be the best solution. I only just discovered in another article that MySettings--SomeSection--Secret translates into something similar in .NET Core:
MySettings: {
SomeSection: "Secret"
}
Since my client wants to use Key Vault we are probably going to go with storing json structured data per a single secret per application.
Any other suggestions are welcome
Key Vault does not support hierarchies for secrets.
To emulate structure, you can do something similar what .NET Core does with its Key Vault configuration provider. You can specify a secret with a name like Settings--SomeCategory--SomeValue, and it'll correspond to the following JSON when loaded:
{
"Settings": {
"SomeCategory": {
"SomeValue": "value goes here"
}
}
}
So essentially you can use a separator to emulate the structure, similar also to how Azure Blob Storage emulates folders.
I would advice against mixing different environment secrets within the same key vault. Access cannot be restricted to some keys, as access is granted and denied on the Key Vault level only. You probably don't want the same persons/applications to be able to access all the different environments, but instead grant access to the production environment to a selected group of users and applications only, and vice versa.
As the Key Vault service by itself doesn't really cost anything, we at least have taken the approach to create one Key Vault per environment, i.e. dev, test and production. Within that key vault the secrets are "structured" by a prefix, i.e. AppName-Data and AppName2-Data. This gives the added benefit, that when moving from dev to test and to production, the references to the secrets don't need to be changed, as they have the same name in all the environments. Just the reference to the Key Vault needs to be changed, and all is set!
I am starting with Windows Azure. I have an Azure account with Microsoft and would like to use it from my Visual Studio project
In the Azure management portal, I can see the primary access key and secondary access key. However Visual Studio needs the account name and account key.
Are these related or am I missing something? If so, how can I get my account name and account key from the Azure management portal?
If you're referring to a Windows Azure Storage account, the storage account name would be the dns prefix you created (e.g. mystorage.blob.core.windows.net - the name would be mystorage).
You then get two keys - primary and secondary. Specify either. You have two so you can give one out to someone (such as giving the secondary key to a 3rd-party monitoring company) and revoke it by changing the key, without impacting you (assuming you're using the primary key for yourself).
The user interface changed a little bit but it's generally the same place:
Note that on the right side of the key you have a Connection String. There you can clearly see the name and the key as well.
Adding a new answer as Azure UI is updated.
So, after selecting the storage account(in my case its inAFlash) select Access keys option you will get the following screen shown in the screenshot
Here you see two key's Primary and secondary.
So, previously these were key1 and key2.
Reason for two keys?
it's to avoid downtime. let's say, if you had only one key and used it multiple places. Suddenly you had to share it to someone for some reason. So, you might need to regenerated this key(As you have already shared it) and update it in all places where you used it previously. So, to avoid this, we have secondary key, which you can share and regenerate it so that, primary key will be still valid.
You can check it by using Azure CLI:
az login
az storage account list -o table
az storage account keys list -n YourAccount
To extract the first key, you can use the following command:
az storage account keys list -n YourAccount -o json --query "[0].value"