In the previous demo, we already created an application that uses the Key Vault SDK to retrieve keys from Azure Key Vault, and that can encrypt and decrypt data at rest. In this demonstration, we are going to create, read, update, and delete keys and certificates using the API. Therefore, we are going to use the service principal that we created in the previous demo to connect to the Key Vault. This service principal already has permissions to the Key Vault.
We are also going to use Postman as an API client to create requests to the API. Under the Technical requirements section, at the beginning of this chapter, you can click the link to install Postman.
For those who are unfamiliar with Postman, you can refer to the following website for more information, at https://www.getpostman.com/product/api-client.
In this demonstration, I will create a couple of examples using the Azure Key Vault API. For more examples, you can refer to the Azure Key Vault REST API reference, available at https://docs.microsoft.com/en-us/rest/api/keyvault/.
- Open Postman and log in or create an account. In Request, add the following (make sure that you replace the {tenant_id} in the request URL with the correct Azure AD tenant ID):
POST https://login.microsoftonline.com/{tenant_id}/oauth2/token?api-version=1.0
- Click Body in the top menu and add the following values:
Requesting a bearer token
- Click Send.
- The output will look like the following:
Bearer token output
- Copy the access_token value.
- Then, in Postman, create a new request. We are going to use this token for authorization and pass it on in the request. Therefore, we need to create an Authorization key with the value: Bearer <token>, as in the following image:
Adding a token to the request
- We now successfully authenticated to Azure Key Vault using the service principal credentials. We also added the Bearer token to the header of the request. Now, we can create some queries. First, let's start by retrieving secrets in Azure Key Vault. In Postman, add the following values and click Send:
- Request Type and URL: GET https://packtdataencryptionvault.vault.azure.net/secrets?api-version=7.0
- This will result in an output displaying all the secrets that are in the vault:
Secrets in the vault
- To create a secret, select Body from the top menu in Postman and make sure that raw and JSON is selected:
Postman settings
- Then, add the following to create a secret:
- HTTP:
PUT {vaultBaseUrl}/secrets/crpsecret?api-version=7.0
-
- Request Body:
{ "value": "packtsecretvalue" }
-
- Response:
{
"value": "packtsecretvalue",
"id": "https://packtdataencryptionvault.vault.azure.net/secrets/crpsecret/78508744072e4d1ea9c780fd9c31ecd0",
"attributes": {
"enabled": true,
"created": 1570543118,
"updated": 1570543118,
"recoveryLevel": "Purgeable"
}
}
- To delete the secret, add the following:
- HTTP:
DELETE {vaultBaseUrl}/secrets/crpsecret?api-version=7.0
-
- Response:
{
"id": "https://packtdataencryptionvault.vault.azure.net/secrets/crpsecret/41fa843e28104c9bbed7d6f89baf5390",
"attributes": {
"enabled": true,
"created": 1570543575,
"updated": 1570543575,
"recoveryLevel": "Purgeable"
}
}
- To create a key, add the following to Postman:
- HTTP:
POST {vaultBaseUrl}/keys/CreateSoftKeyTest/create?api-version=7.0
-
- Request Body:
{
"kty": "RSA",
"key_size": 2048,
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"attributes": {},
"tags": {
"purpose": "unit test",
"test name ": "CreateGetDeleteKeyTest"
}
}
-
- Response:
{
"key": {
"kid": "https://packtdataencryptionvault.vault.azure.net/keys/CreateSoftKeyTest/66c103e3dd1c4cff8f86b9221c9c8419",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"n": "rJqJLUORU_jz1Yvt4CJt49VJ7VwIGcYQ5SF6ioegtUSZqX7thAKR-2e294tQPm68rtH1yxtzSinj2b6tJUtKWULOoxvh0FoV_ppR1PXEQckfy-Xlcd8M0AwjZ9xvHnsBv3DV2dyjf4z4aXmP2y7V7EGwJ__KtG-PDYPKS5sKTKmOkFTDLV8V0OJVQ0dNtuSstqIcTMiSEH27SWMKqwk0UyodneMEOrYNNMC-H5Jpm5mmexzi7j1w6jgjVGsJDrCGe6io1USzbLB7Y4NK1_kJ_OyV5d5qxAOfGWtX6X1g6kJUWR8pc2Q0oaGhEpj5ksTIhIcDlJ2ZriaLyrI9KemIyQ",
"e": "AQAB"
},
"attributes": {
"enabled": true,
"created": 1570544847,
"updated": 1570544847,
"recoveryLevel": "Purgeable"
},
"tags": {
"purpose": "unit test",
"test name ": "CreateGetDeleteKeyTest"
}
}
- To delete a key, add the following to Postman:
- HTTP:
DELETE {vaultBaseUrl}/keys/CreateSoftKeyTest?api-version=7.0
-
- Response:
{
"key": {
"kid": "https://packtdataencryptionvault.vault.azure.net/keys/CreateSoftKeyTest/e9d35e5432ad4da48239f725af90b733",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"n": "p8YP98mvABmPFEGwxLw-WdyouR7DiG9prJ5t4KLLDEq9uXpRnZMmnq2zmN2-XL333Hpj6wzJpmu5mM1LtgiUnAZMcYjx-RSXyTk1ftdC50ahNrUwBIcqVG8M3hfrC-JbVd2d0RCfusMHpcU1S8HgRe2cUZ-h4yeo5PVFy0MrkKXRtVVj-qnKB1tMPbCDVxboTYEvMQxKP8YqHnxaMMDwySgFjLa3UCJMj1zyI5fI-dCjLGYSSeeO_e19jn2DoWro83VQG0I-K7uBj1qf82_D38xIIBc7qEFth_7dTj87hW0DkXnpa-63jycU69rSS5PlsZXiUjfltwT8Y13yFFGqfQ",
"e": "AQAB"
},
"attributes": {
"enabled": true,
"created": 1570545206,
"updated": 1570545206,
"recoveryLevel": "Purgeable"
},
"tags": {
"purpose": "unit test",
"test name ": "CreateGetDeleteKeyTest"
}
}
- To create a certificate, add the following:
- HTTP:
POST {vaultBaseUrl}/certificates/selfSignedCert01/create?api-version=7.0
-
- Body:
{
"policy": {
"key_props": {
"exportable": true,
"kty": "RSA",
"key_size": 2048,
"reuse_key": false
},
"secret_props": {
"contentType": "application/x-pkcs12"
},
"x509_props": {
"subject": "CN=*.sjoukjezaal.com",
"sans": {
"dns_names": [
"test.sjoukjezaal.com",
]
}
},
"issuer": {
"name": "Self"
}
}
}
-
- Response:
{
"id": "https://packtdataencryptionvault.vault.azure.net/certificates/selfSignedCert01/pending",
"issuer": {
"name": "Self"
},
"csr": "MIICzTCCAbUCAQAwHDEaMBgGA1UEAwwRKi5zam91a2plemFhbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwQvaRmmInr85fNLPoOU0wkbAhr2H/56h1g+zfXuILtUtQgG9OGXYPewWGYek7Ej0KnGinuDTlE06q0RlmLlFs1CbeFWKlTJ8J1Vnv0kzZM71mBGf7fDelBtvxpK2q1tCXWv3HokkMkhBJPZZWSd4cyGSGG9kNkcS2cmEHtIAlP9O834URB0ZQI0ksFegxgeVulKP3umS//0SSWsfJVgkeaM5DRTujnThUxkHXsJI9P9Wc8R6OoQxsnz8e2KQlFLamLM6iCz57FlwinCbU9E5IZp19N9WwpGxEiJS7Qj6Ib/8tt9+Vh+bnSzM6kOY3/xn3tVF8LvoCmIS728KZEjSPAgMBAAGgbDBqBgkqhkiG9w0BCQ4xXTBbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0RBBgwFoIUdGVzdC5zam91a2plemFhbC5jb20wCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAK2vrug9pjPmz94zRVc6eD9PNwUmDvnBoffuVl7lKjIuqvuvaEeB40C3TmD38+0oHEVSoX0GEjJxt+NNlyHP5wkkkbO14otqAO5Gl5/euMTr1hwgJVPQojlEOP8uOf4kIDQp6sVDBwmMLnQrhWzrBAir1Rqcpeh/WB2Yt8E/VVsgLCnA9CwSmEwEX+HqJOm25KN28Bs9HiGk9NeQhUEWNfXNHRo46SF63K0/qfXgIZw/R19ljhBoBOWjJ2/itAM1mqxfjO1N7Qf5pFhL0+ChD0/eFYiKX1r8Abem22ohvND3Lc8IY2vH4LpZj7LjGk0IEO+Kog6A3JvC+bKi+nwiOCw==",
"cancellation_requested": false,
"status": "inProgress",
"status_details": "Pending certificate created. Certificate request is in progress. This may take some time based on the issuer provider. Please check again later.",
"request_id": "133c0973768b4fdda836b85b7d50cf41"
}
- For this last request, I needed to add more permissions to the service principal in the Key Vault. Therefore, go to the Azure portal and navigate to the Key Vault overview blade. In the left menu, select Access Policies. There, you can add and remove the required permissions:
Changing the Service Principal permissions
In this demonstration, we covered how to use the Key Vault API to create, update, and delete keys, secrets, and more. This concludes this chapter.