How to create an Azure Key Vault
This post is part of a series in which I will show how to create different resources in Microsoft Azure. Today I will show you how to create a very important service that works as a secure secrets store: An Azure Key Vault. You can use Key vaults to Centralized storage of application secrets, keys, and Certificates. This tutorial assumes that you already have a Microsoft Azure account configured.
Azure PowerShell Workaround #
If you want to know how to install the PowerShell Azure module on your machine, check out this link. The simplest way to get started is to sign in interactively at the command line.
Connect-AzAccount
This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account. If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:
Get-AzSubscription
Select-AzSubscription -Subscription "My Subscription"
The Azure Key vault is a resource and you must place it within a Resource Group. You can use an existing Resource Group, or you can create a new Resource Group. If you want to know how to create a Resource Group using PowerShell, check out this link. To create a Key vault with PowerShell, use the New-AzKeyVault cmdlet with the following syntax:
New-AzKeyVault `
-Name <String> `
-ResourceGroupName <String> `
-Location <String> `
-EnabledForDiskEncryption `
-Sku <SkuName>
- -EnabledForDiskEncryption Allows the Azure disk encryption service to get secrets and unwrap keys from this key vault.
- -Sku Specifies the SKU of the key vault instance. Standard or Premium are the possible options. you must choose one depending on the services and features you want to use.
Azure Key Vault Access Policy #
Before you start working with the key vault, you must grant your user permission to perform operations with the key vault. To perform this task, you must use the Set-AzKeyVaultAccessPolicy cmdlet.
Get-AzADUser
$objID=(Get-AzADUser -DisplayName <String>).Id
Set-AzKeyVaultAccessPolicy `
-VaultName <String> `
-ResourceGroupName <String> `
-ObjectId $objID `
-PermissionsToSecrets set,get,list
Create and read a secret from Key Vault #
To store a sensitive password in Key Vault with PowerShell, use the Set-AzureKeyVaultSecret cmdlet with the following syntax:
Set-AzureKeyVaultSecret `
-VaultName <String> `
-Name <String> `
-SecretValue <SecureString>
Get-AzKeyVaultSecret `
-VaultName <String> `
-Name <String>
Azure CLI Workaround #
You can use it in your browser with Azure Cloud Shell or install it on your machine. If you want to know how to install the Azure CLI, check out this link. The way to get started is to sign in interactively at the command line.
az login
This command will bring up a dialog box prompting you for your email address and password associated with your Azure account. If you have more than one subscription associated with your mail account, you can choose the default subscription. to perform this task, we will use the following commands:
az account list
az account set --subscription "Subscription Name"
The Azure Key vault is a resource and you must place it within a Resource Group. You can use an existing Resource Group, or you can create a new Resource Group. If you want to know how to create a Resource Group using Azure CLI, check out this link.
To create an Azure Key Vault with Azure CLI, use the following syntax:
az keyvault create \
--name <Name> \
--resource-group <ResourceGroup> \
--location <Location>
Create and read a secret from Key Vault #
To store a confidential password in Key Vault with the Azure CLI, type the following commands:
az keyvault secret set \
--vault-name <String> \
--name <String> \
--value <String>
az keyvault secret show \
--name <String> \
--vault-name <String> \
--output table
Thanks for reading my post. I hope you find it useful.
If you want to know more about Azure Key vaults, check out this link.