I have a key vault that I created and imported a key several months ago. I created the vault with a SKU of premium as per the documentation to enable Key Vault's usage of an HSM. I also imported the key setting the destination = to HSM
Add-AzureKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -Name 'ContosoFirstHSMKey' -Destination 'HSM'
Now, I am being asked to verify that the key is in fact hardware protected, but I'm not able to find any overly convincing attribute to tell me this. If I run:
Get-AzureKeyVaultKey -VaultName "Contoso" -KeyName "ITPfx"
I can see in the JSON "kty: RSA-HSM" where a software protected key's kty value is just RSA. That is the only difference I can see between a hardware and software protected key.
Is that really the only way to tell if a key is in the HSM in the key vault?
Or is there a more intuitive method to determine this?
Using PowerShell, this is the code I use to identify if weather the key is protected by software or hsm:
$keyInVault = Get-AzureKeyVaultKey -VaultName $keyVaultName -Name $keyName
$keyInVault.Key.Kty
The output will look something like:
RSA-HSM
So, yes using the JSON is typically the only way.
Related
I would like to know if there is a way to list down all secrets, keys, certificates inside azure keyvault. I can check on portal but that takes lot of time if I have to export this info in excel.
Anyway I can do with powershell ?
Thanks in advance!
The Get-AzureKeyVaultSecret module is probably your best bet.
Get-AzureKeyVaultSecret -VaultName "vaultname" | Select Name
Change vaultname to the name of your vault and it will show you the names of all the items stored in the given vault. You can also adjust the Select to get back all the data you need, or pipe to Export-Csv directly.
I find myself in a situation where I have a subscription key in a project I inherited, for which I need to determine the product that the key is attached to. We have a couple hundred products, and manually inspecting each one and "show"ing the values of each of its subscription keys is not something I want to do... Is there a way of scripting this? My Googling so far has only revealed solutions for obtaining keys from a known product, which is the opposite of what I need...
Subscription Key is not unique so you can't get a product using a subscription key as many products from different services might have subscriptions that holds the same subscription keys so no such an api to do this.
In general you can write a script using the list product subscription api and list secrets api to achieve such a thing.
https://learn.microsoft.com/en-us/rest/api/apimanagement/2019-12-01/productsubscriptions/list#code-try-0
https://learn.microsoft.com/en-us/rest/api/apimanagement/2019-12-01/subscription/listsecrets#code-try-0
If you are looking just to see to which product a specific call has been made then you can use any of the solutions below and I prefer the log analytics one.
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-use-azure-monitor
If you have a key and want to know which product is the key for, you can use Azure PowerShell: API management module to do this.
Just try the code below:
$apimName = "<apim name>"
$apimSresourceGroup = "<apim resource group name>"
$key = "<your ssubscription key>"
$apim_context = New-AzApiManagementContext -ResourceGroupName $apimSresourceGroup -ServiceName $apimName
$subs = Get-AzApiManagementSubscription -Context $apim_context
foreach($sub in $subs){
if($sub.PrimaryKey -eq $key -or $sub.SecondaryKey -eq $key){
write-host 'this key is for product:'$sub.ProductId' belongs to user with ID:' $sub.UserId ' subscription name:'$sub.Name
}
}
Result:
Let me know if you have any further questions.
I'm adding a new certificate to an existing App Registration in Azure AD using the following command:
New-AzureADApplicationKeyCredential -ObjectId $AppObjectId -CustomKeyIdentifier $base64Thumbprint -Type AsymmetricX509Cert -Usage Verify -Value $base64Value -StartDate $cer.GetEffectiveDateString() -EndDate $validTo
This works OK and I can see the cert added in the Portal.
Should this certificate not also be visible via https://login.microsoftonline.com/{tenant}/discovery/keys?appid={Application(client)ID}
I've also tried adding the certificate info via Set-AzureADApplication & directly via the Portal. Each time I can see the certificate under "Certificates and Secrets" as well as in the App Manifest. No matter what I do I can't see the public cert in the JWKS endpoint.
My assumption on this comes from the following:
https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens
"If your app has custom signing keys as a result of using the claims-mapping feature, you must append an appid query parameter containing the app ID to get a jwks_uri pointing to your app's signing key information, which should be used for validation. For example: https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration?appid=6731de76-14a6-49ae-97bc-6eba6914391e contains a jwks_uri of https://login.microsoftonline.com/{tenant}/discovery/keys?appid=6731de76-14a6-49ae-97bc-6eba6914391e."
Any help would be much appreciated.
As far as I understand, the keys you add to the app are only used for authenticating your app to Azure AD.
Thus there is no need to advertise those keys in the public endpoint, as only Azure AD itself needs to use those public keys to verify assertions sent by your app.
Seems like you set the keyusage to Verify. If you want to use it for signing the token you need to set it to Sign and use a symmetric key:
New-AzureADApplicationKeyCredential -ObjectId $AppId -CustomKeyIdentifier "Test" -StartDate "11/7/2016" -Type "Symmetric" -Usage "Sign" -Value "123"
I have a VSTS library variable groups connected to my key-vaults in Azure:
More about it you can read here:
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=vsts&tabs=yaml
In key vaults in Azure I have a list of secrets and list of certificates.
Example key vault secrets:
AppInsightsInstrumentationKey
CacheConnectionString
Example certificate:
GlobalCertificate
Now I can access as variables in releasing these variables, by simple syntax:
$(GlobalCertificate)
$(AppInsightsInstrumentationKey)
$(CacheConnectionString)
My goal is to read thumprint of certificate localted in variable $(GlobalCertificate). What's the way to get it?
I know this is old but I found this article searching for the same thing and haven't been able to find a solution elsewhere.
I've been able to sort it out with Powershell but it's bizarre what's required considering we've already uploaded the PFX into the key vault. I also save my pfx passwords into keyvault but if you don't, substitute the variable in the $pwd line with your own value.
In the Azure DevOps Pipeline, create a Powershell task. Script is:
#Convert the Secure password that's presented as plain text back into a secure string
$pwd = ConvertTo-SecureString -String $(GlobalCertificate-Password) -Force -AsPlainText
#Create PFX file from Certificate Variable
New-Item Temp-Certificate.pfx -Value $(GlobalCertificate)
#Import the PFX certificate from the newly created file and password. Read the thumbprint into variable
$Thumbprint = (Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -FilePath Temp-Certificate.pfx -Password $pwd).Thumbprint
Write-Host $Thumbprint
#Rest of Script below or set environment variable for rest of Pipeline
Write-Host "##vso[task.setvariable variable=Thumbprint]$Thumbprint"
We are linking personal developers certificates to a certain service principal.
When a developer will leave our team, we will remove that credential from the service principal.
This works perfectly, but it's kind of a hassle because the name of the developer is not linked to the credentials.
I have noticed that their is a customIdentifierKey property on the credentials... but I cannot find how to set the customIdentifierKey.
Anyone knows how to do this?
New-AzureRmADAppCredential -ApplicationId $appId -CertValue $keyValue -EndDate $cert.NotAfter -StartDate $cert.NotBefore
You can use the Azure AD v2 cmdlets to set and get custom key identifiers.
Here I am adding a certificate:
New-AzureADApplicationKeyCredential -ObjectId 2648416a-aaaa-4bc0-9190-aaaab6165710 -CustomKeyIdentifier 'Your key name' -StartDate '2017/06/01' -EndDate '2018/06/01' -Type AsymmetricX509Cert -Usage Verify -Value $keyValue
Assuming your $keyValue contains an X509 certificate. If it is a symmetric key, you can use Symmetric as the Type.
The custom key identifier is stored as bytes, encoded in ASCII.
So when you get one, you need to run it through a decode:
$cred = Get-AzureADApplicationKeyCredential -ObjectId 2648416a-aaaa-4bc0-9190-aaaab6165710
[System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier)
Interestingly, if you set an identifier on a PasswordCredential (client secret) through Azure Portal, it encodes it in Unicode.