We have seen what azure key vault on our last post is, here will see how to create the azure key vault in azure and how to grant permission to azure application for accessing/managing the azure key vault secrets. Here will see how to create azure key vault and few more details about the key vault.
Role:
- An Azure Administrator can do following using Azure Key Vault,
- Create or import a key or secret
- Revoke or delete a key or secret
- Authorize users or applications to access the key vault, which allow them to manage or use its own keys and secrets
- Configure key usage
- Record key usage
What data can be stored?
- Secrets which are less than 10KB should be stored in the azure keyvault.
- Store PFX files and manage your SSL certificates using azure keyvault.
- Database Connection strings, Social Network client keys, Subscription Keys, License Keys, and many other keys could be stored and managed easily using azure keyvault.
Operations supported?
- Keys: Create, Import, Get, List, Backup, Restore, Delete, Update, Sign, Verify, Wrap, Unwrap, Encrypt & Decrypt
- Secrets: Create, Update, Get, List, Delete
- Certificates: Create, Update Policy, Contacts, Import, Renewal, Update
Cost:
- Zero setup fee
- Secrets: $0.03/10,000 requests
- Keys: $1 per key per month
- Certificates: $3 per renewal request
you can try to calculate your need from azure calculator
Step 1: Create a Key Vault in Azure
Login to azure portal > Click Create Resource > Key Vault > Create, with we can create azure keyvault, you may need to select the subscription, provide resource group, name, and region on first section,
Select the azure key vault policy, it can be either default or you can customize with your own need.
Select networking, you can restrict based on your organization policy, like using private endpoint(recommended), azure virtual network, to make sure it is not exposed outside. Once all selected, click next and review and create the key vault.
Step 2: Create a Secret
In the Azure Key Vault settings that you just created you will see a screen like the following. Click Secrets in the blade, followed by Generate/Import button on the top right. On the Create a secret screen choose the following values:
- Upload options: Manual.
- Name: Type a name for the secret. The secret name must be unique within a Key Vault. The name must be a 1-127 character string, starting with a letter and containing only 0-9, a-z, A-Z, and -. For more information on naming, see Key Vault objects, identifiers, and versioning
- Value: Type a value for the secret. Key Vault APIs accept and return secret values as strings.
- Leave the other values to their defaults. Click Create.
Step 3: Register an Azure Application and create Keys
Azure Portal > Azure Active Directory > App Registrations > New registration
Note down your details. Remember, your client id is same as Application ID.
How to retrieve the secret from Key Vault
Azure Portal:
Login to azure portal >> go to your key vault and then click Secrets, on secrets windows click show secret to view the value.
PowerShell:
To view the value contained in the secret as plain text, use the Azure PowerShell Get-AzKeyVaultSecret cmdlet: Azure PowerShell
$secret = Get-AzKeyVaultSecret -VaultName "<your-unique-keyvault-name>" -Name "ExamplePassword" -AsPlainTextNow, you have created a Key Vault, stored a secret, and retrieved it.
Python:
To read a secret from Key Vault, use the get_secret method: Python
retrieved_secret = client.get_secret(secretName)The secret value is contained in retrieved_secret.value.
You can also retrieve a secret with the the Azure CLI command az keyvault secret show.