Why?
Delegating the responsibility of storing and managing access to secrets to a single service makes it easier to protect.
What?
Azure KeyVault is a service that stores and manages access to secrets. PowerShell will be used to enable automating deployment in production.
How?
Figure 1: Create new Azure KeyVault instance [1].
New-AzureRmKeyVault ` -VaultName '[vault name]' ` -ResourceGroupName '[resource group name]' ` -Location '[location]' ` -EnabledForDeployment
-VaultName specifies the name of the key vault to create. The name can be any combination of letters, digits, or hyphens. The name must start and end with a letter or digit. The name must be universally unique [2].
-ResourceGroupName specifies the name of an existing resource group in which to create the key vault [2]. Create a resource group before running this cmdlet.
-Location specifies the Azure region in which to create the key vault. Use the command Get-AzureLocation to see your choices. For more information, type Get-Help Get-AzureLocation [2]. E.g. West US, East US [1].
-EnabledForDeployment enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine [2].
The backtick character (`) is used to enable splitting a Powershell command over multiple lines [3].
Note
An Azure subscription must be selected to be able to run Get-AzureLocation.
Using Select-AzureSubscription yields another error.
An Azure account must be registered before subscriptions can be selected.
Figure 4: Adding an Azure account to Powershell session.
Add-AzureAccount
Note
Login-AzureRmAccount must be called be able to call New-AzureRmKeyVault.
Figure 5: Logging into an Azure account using a subscription id.
Login-AzureRmAccount -SubscriptionId [subscription guid]
Specifying a subscription is useful when an account has multiple subscriptions. This enables creating the KeyVault in a subscription where the specified resource group resides. See [4] for more details.
Figure 6: cmdlet syntax [2].
Parameter Set: Default New-AzureRmKeyVault ` [-VaultName] <String> ` # required [-ResourceGroupName] <String> ` # required [-Location] <String> ` # required [-EnabledForDeployment] ` [-EnabledForDiskEncryption] ` [-EnabledForTemplateDeployment] ` [-Sku <String> {standard | premium} ] ` [-Tag <Hashtable[]> ] ` [ <CommonParameters>]
The Azure account used to create the KeyVault is now authorized to perform any operations on it. As yet, nobody else is [4]. Set-AzureRmKeyVaultAccessPolicy can be used to grant access to other users, applications, and service principals. Get-AzureRmKeyVault can be used to validate the KeyVault was created with the expected information.
Figure 7: Validate KeyVault information using Get-AzureRmKeyVault [5].
Parameter Set: GetVaultByName Get-AzureRmKeyVault ` [-VaultName] <String> ` # Required [[-ResourceGroupName] <String> ] ` # Optional, but specify to improve search performance [ <CommonParameters>]
Further Reading
A self-signed certificate can be used to validate the KeyVault was setup correctly.
Works Cited
- Programming Microsoft Azure Service Fabric (ISBN 9781509301881), by Haishi Bai
- New-AzureRmKeyVault
- How to enter a multi-line command?
- Get started with Azure Key Vault
- Get-AzureRmKeyVault