I love KeyVault. And really, you should too if you don't already. What a fantastic way to easily store secrets, keys, and certificates. Quite versatile and makes your life happy and more secure. Today, I got to work with KeyVault for the first time in code. There are lots of use cases for this, including storing connection strings, passwords, etc.
If you've not gotten started with KeyVault, I suggest you go here first. You can also follow all the happenings with KeyVault on my AzureNotes site. Today, I'm going to show you how to get set up so you can do some very cool .Net things with KeyVault like, well, store stuff and encrypt stuff!
Here's an overview of what we're going to do:
- Create a Resource Group
- Create some variables to make life a bit happier
- Create an Azure AD Application
- Get a Client Key (which happens to be the ApplicationId)
- A Service Principal
- Create the KeyVault in the Resource Group
- Assign permissions to the KeyVault so the Service Principal can do things with it.
- Use the pertinent data from these steps to sling some wicked cool code.
First, we have to get setup and started. Kick open some PowerShell and
ipmo azurerm and login.
select-AzureRMSubsction -SubscriptionId '<guid>'
Create a Resource Group if you don't already have one to store your KeyVault instance. (Remember, as of this writing, KeyVaults do NOT show up and CANNOT be controlled via the portal, so don't go looking for them there.)
$rg = new-AzureRMResourceGroup -Name 'DereksTestVault -Location 'East US'
Now, let's do some variables and create the Azure AD Application and Service Principal:
$now = [System.DateTime]::Now
$twoyearsout = $now.AddYears(2)
keyVaultName = 'DereksTestVault'
aadClientSecret = [Guid]::NewGuid()
azureADApplication = New-AzureRMAdApplication -DisplayName "DerekTestVault" -HomePage "http://whatever" -IdentifierUris "http://somethinggloballyunique" -StartDate $now -EndDate $oneYearFromNow -Password $aadClientSecret
$aadClientID = $azureADApplication.ApplicationId
$servicePrincipal = new-AzureRMADServicePrincipal -ApplicationId $aadClientID
Now, we have everything we need to create the KeyVault and sling code!
new-AzureRMKeyVault -VaultName $keyVaultName -ResourceGroupName $rg -Location "East US"
And set permissions on the KeyVault so that our Service Principal can do stuff with it in our code:
Set-AzureRMKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $rg -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all
Side note - the above isn't the best security posture, but for our testing purposes, is good.
Now we have some new permissions we can see:
Now our KeyVault is ready for us to write some code. Fire up Visual Studio and download the sample application here.
This sample has a couple of different projects in it, but the one we're focusing on is the HelloKeyVault project as it is a simple console application. The only thing you need to do is modify App.config to look like this:
(Putting in the real values of course)
Hit F5 and run and watch it perform all of the default actions like:
- Create a Key
- Get a Key
- Import a Key
- Backup a Key
- Sign and Verify
- Wrap and Unwrap (Very important!)
- Update a Key
- List Key Versions
- Delete a Key
- Create a Secret
- Get a Secret
- List Secrets
- Delete a Secret
Many of the good things! I particularly like that this console application permits extensive use of command line args so you can get in there and play around with your favorite operation(s) to see how they work.
Another project in that solution is a Configuration Manager which is a nice little helper class that you can leverage in your code.