May 12, 2016

Using KeyVault in Code

I love KeyVault. And really, you should too if you don't already. What a fantastic way to easily store secrets, keys, and certificates. Quite versatile and makes your life happy and more secure. Today, I got to work with KeyVault for the first time in code. There are lots of use cases for this, including storing connection strings, passwords, etc.

If you've not gotten started with KeyVault, I suggest you go here first. You can also follow all the happenings with KeyVault on my AzureNotes site. Today, I'm going to show you how to get set up so you can do some very cool .Net things with KeyVault like, well, store stuff and encrypt stuff!

Here's an overview of what we're going to do:

  1. Create a Resource Group
  2. Create some variables to make life a bit happier
  3. Create an Azure AD Application
  4. Get a Client Key (which happens to be the ApplicationId)
  5. A Service Principal
  6. Create the KeyVault in the Resource Group
  7. Assign permissions to the KeyVault so the Service Principal can do things with it.
  8. Use the pertinent data from these steps to sling some wicked cool code.

First, we have to get setup and started. Kick open some PowerShell and ipmo azurerm and login.

select-AzureRMSubsction -SubscriptionId '<guid>'

Create a Resource Group if you don't already have one to store your KeyVault instance. (Remember, as of this writing, KeyVaults do NOT show up and CANNOT be controlled via the portal, so don't go looking for them there.)

$rg = new-AzureRMResourceGroup -Name 'DereksTestVault -Location 'East US'

Now, let's do some variables and create the Azure AD Application and Service Principal:

$now = [System.DateTime]::Now

$twoyearsout = $now.AddYears(2)

keyVaultName = 'DereksTestVault'

aadClientSecret = [Guid]::NewGuid()

azureADApplication = New-AzureRMAdApplication -DisplayName "DerekTestVault" -HomePage "http://whatever" -IdentifierUris "http://somethinggloballyunique" -StartDate $now -EndDate $oneYearFromNow -Password $aadClientSecret

$aadClientID = $azureADApplication.ApplicationId

$servicePrincipal = new-AzureRMADServicePrincipal -ApplicationId $aadClientID

Now, we have everything we need to create the KeyVault and sling code!

new-AzureRMKeyVault -VaultName $keyVaultName -ResourceGroupName $rg -Location "East US"

Shiny New KeyVault

And set permissions on the KeyVault so that our Service Principal can do stuff with it in our code:

Set-AzureRMKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $rg -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all

Side note - the above isn't the best security posture, but for our testing purposes, is good.

Now we have some new permissions we can see:

Cosmic Power

Now our KeyVault is ready for us to write some code. Fire up Visual Studio and download the sample application here.

This sample has a couple of different projects in it, but the one we're focusing on is the HelloKeyVault project as it is a simple console application. The only thing you need to do is modify App.config to look like this:
Cosmic Power
(Putting in the real values of course)

Hit F5 and run and watch it perform all of the default actions like:

  1. Create a Key
  2. Get a Key
  3. Import a Key
  4. Backup a Key
  5. Sign and Verify
  6. Wrap and Unwrap (Very important!)
  7. Encrypt
  8. Decrypt
  9. Update a Key
  10. List Key Versions
  11. Delete a Key
  12. Create a Secret
  13. Get a Secret
  14. List Secrets
  15. Delete a Secret

Many of the good things! I particularly like that this console application permits extensive use of command line args so you can get in there and play around with your favorite operation(s) to see how they work.

Another project in that solution is a Configuration Manager which is a nice little helper class that you can leverage in your code.

Happy KeyVaulting!