Creating and managing Azure Key Vault was mostly supported through PowerShell cmdlets initially, but there are multiple ways of achieving this now - REST API, PowerShell, CLI or ARM templates. In this post, we will look into how we can use the REST API to create and manage a Key Vault.
Azure Resource Manager API
The Azure Resource Manager API provides programmatic access to manage Azure services that support Resource Manager. Since Key Vault supports Resource Manager, we will be using it. Any requests to the API must be authenticated and can be done using an Azure AD application. Most of the steps to create an AD application are same as we saw when creating an AD application to Authenticate a Client Application with Azure Key Vault. From the ‘permissions to other applications’ tab in portal (as shown below), we can give the application access to Management API’s.
To get the token to access the Management API resource (https://management.azure.com ), I use the ADAL library with the required data. All the information that needs to be passed to the ADAL library is available under the AD application in the azure portal (as shown below).
1 2 3 4 5 6 7 8 9 10 11 12
Key Vault Management Client
The Microsoft.Azure.Management.KeyVault NuGet package, provides capabilities to connect to the Management API’s and manage the Vaults. With the NuGet reference added I can use the KeyVaultManagementClient.
Much of the SDK code is generated using Autorest, from the REST API’s metadata spec’s in Swagger format.
With the Azure Subscription Id and the token from the previous step a TokenCloudCredentials is created that is used to connect the Key Vault Management Client.
1 2 3 4 5 6
Key Vaults exists under a Resource Group and for it to be accessible using the AD application authenticated token, we need to grant permission to the application. Just like we managed User Permissions for Key Vault we can give the AD application access to the Resource Group. We can do this from the new portal (as shown in the other post) or using the New-AzureRmRoleAssignment PowerShell cmdlet. Get-AzureRmADServicePrincipal is used o get the ObjectId of an existing application passing the application name as SearchString. I have yet not found a better way to find the application ObjectId. Please drop a comment if you know of any.
1 2 3
Creating New Key Vault
We have all the required permissions setup, to create a key vault using the KeyVaultManagament client library. Using this is straightforward as shown below. The Sku is used to specify Key vault service tier - ‘Standard’ or ‘Premium’. For HSM backed keys it is Premium. Family on Sku object takes in a hardcoded value of ‘A’. AccessPolicies specify the AD object identifier of user or application that can access the vault. In this case, I am adding the current AD application with full (all) access to Keys and Secrets. Adding an access policy in same as using the Set-AzureRmKeyVaultAccessPolicy.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
Managing Existing Key Vaults
Update a Key Vault
When updating an existing Key Vault, the full state (VaultCreateOrUpdateParameters) must be passed back and not just the update. To add a new AccessPolicyEntry, the existing policy entry values must also be passed back. In the code below, I get the existing state of the Key Vault using the Get and use the current vault properties to add in the new AccessPolicyEntry.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Delete a Key Vault
Hope this helps you manage Azure Key Vault using the REST API.