Setting up Azure KeyVault using Powershell

Why?

Delegating the responsibility of storing and managing access to secrets to a single service makes it easier to protect.

What?

Azure KeyVault is a service that stores and manages access to secrets. PowerShell will be used to enable automating deployment in production.

How?

Figure 1: Create new Azure KeyVault instance [1].
New-AzureRmKeyVault `
-VaultName '[vault name]' `
-ResourceGroupName '[resource group name]' `
-Location '[location]' `
-EnabledForDeployment

-VaultName specifies the name of the key vault to create. The name can be any combination of letters, digits, or hyphens. The name must start and end with a letter or digit. The name must be universally unique [2].

-ResourceGroupName specifies the name of an existing resource group in which to create the key vault [2]. Create a resource group before running this cmdlet.

-Location specifies the Azure region in which to create the key vault. Use the command Get-AzureLocation to see your choices. For more information, type Get-Help Get-AzureLocation [2]. E.g. West US, East US [1].

-EnabledForDeployment enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine [2].

The backtick character (`) is used to enable splitting a Powershell command over multiple lines [3].

Note

An Azure subscription must be selected to be able to run Get-AzureLocation.

Figure 2: Error message when subscription has not been set
Figure 2: Error message when subscription has not been set

Using Select-AzureSubscription yields another error.

Figure 3: Subscription cannot be found because an azure account has not been added
Figure 3: Subscription cannot be found because an azure account has not been added

An Azure account must be registered before subscriptions can be selected.

Figure 4: Adding an Azure account to Powershell session.
Add-AzureAccount
Note

Login-AzureRmAccount must be called be able to call New-AzureRmKeyVault.

Figure 5: Logging into an Azure account using a subscription id.
Login-AzureRmAccount -SubscriptionId [subscription guid]

Specifying a subscription is useful when an account has multiple subscriptions. This enables creating the KeyVault in a subscription where the specified resource group resides. See [4] for more details.

Figure 6: cmdlet syntax [2].
Parameter Set: Default
New-AzureRmKeyVault `
[-VaultName] <String> ` # required
[-ResourceGroupName] <String> ` # required
[-Location] <String> ` # required
[-EnabledForDeployment] `
[-EnabledForDiskEncryption] `
[-EnabledForTemplateDeployment] `
[-Sku <String> {standard | premium} ] `
[-Tag <Hashtable[]> ] `
[ <CommonParameters>]

The Azure account used to create the KeyVault is now authorized to perform any operations on it. As yet, nobody else is [4]. Set-AzureRmKeyVaultAccessPolicy can be used to grant access to other users, applications, and service principals. Get-AzureRmKeyVault can be used to validate the KeyVault was created with the expected information.

Figure 7: Validate KeyVault information using Get-AzureRmKeyVault [5].
Parameter Set: GetVaultByName
Get-AzureRmKeyVault `
[-VaultName] <String> ` # Required
[[-ResourceGroupName] <String> ] ` # Optional, but specify to improve search performance
[ <CommonParameters>]

Further Reading

A self-signed certificate can be used to validate the KeyVault was setup correctly.

Creating a self-signed certificate

Works Cited

  1. Programming Microsoft Azure Service Fabric (ISBN 9781509301881), by Haishi Bai
  2. New-AzureRmKeyVault
  3. How to enter a multi-line command?
  4. Get started with Azure Key Vault
  5. Get-AzureRmKeyVault
%d bloggers like this: