Fun with Azure Key Vault Services
I was able to spend a little time recently with a new Azure service, the Key Vault service, for some work I was doing. It’s a pretty valuable and not too difficult service that solves an age old problem – where can I securely keep secrets for my applications in Windows Azure. Actually because of the way it’s implanted you really don’t even need to have your application hosted in Azure…but I’m getting a little ahead of myself. Let’s start with the basics. As a precursor to what I have here, I’ll just point out that there’s actually some pretty good documentation on this service available at https://azure.microsoft.com/en-us/services/key-vault/.
Getting Started
Before you start trying to build anything, you really need to have the latest version of the Azure PowerShell cmdlets, as well as the new cmdlets they’ve built for working with Key Vault. You can get the very latest of the Azure PowerShell cmdlets by going here: https://github.com/Azure/azure-powershell/releases. You can get the Key Vault cmdlets by going here: https://gallery.technet.microsoft.com/scriptcenter/Azure-Key-Vault-Powershell-1349b091.
Create a New Vault and Secret(s)
The next step is to crack open your Azure PowerShell window and load up the Key Vault cmdlets. You can do that like this:
Set-ExecutionPolicy Bypass -Scope Process
import-module C:\DirectoryYouExtractedKeyVaultCmdletsTo\KeyVaultManager
I’m just turning off policy to only run signed cmdlets with the first line of code (and just in this process), and then loading up the cmdlets with the next line of code. After that you need to connect to your Azure AD tenant like this:
add-azureaccount
If you have multiple subscriptions and you want to target the specific subscription where you want to create your Key Vault and secrets and keys, then you can do this:
Set-AzureSubscription -SubscriptionId some-guid-here
You’ll see a list of guids for your subscription after you log in with the add-azureaccount cmdlet. Now that you’re logged in and set in your subscription, you can do the first step, which is to create a new vault. The PowerShell for it is pretty easy – just this one line of code:
New-AzureKeyVault -VaultName “SteveDemo” -ResourceGroupName “SteveResources” -Location “West US”