In the previous demo, we already created an application that uses the Key Vault SDK to retrieve keys from Azure Key Vault, and that can encrypt and decrypt data at rest. In this demonstration, we are going to create, read, update, and delete keys and certificates using the API. Therefore, we are going to use the service principal that we created in the previous demo to connect to the Key Vault. This service principal already has permissions to the Key Vault.
We are also going to use Postman as an API client to create requests to the API. Under the Technical requirements section, at the beginning of this chapter, you can click the link to install Postman.
- Open Postman and log in or create an account. In Request, add the following (make sure that you replace the {tenant_id} in the request URL with the correct Azure AD tenant ID):
POST https://login.microsoftonline.com/{tenant_id}/oauth2/token?api-version=1.0
- Click Body in the top menu and add the following values:
- Click Send.
- The output will look like the following:
- Copy the access_token value.
- Then, in Postman, create a new request. We are going to use this token for authorization and pass it on in the request. Therefore, we need to create an Authorization key with the value: Bearer <token>, as in the following image:
- We now successfully authenticated to Azure Key Vault using the service principal credentials. We also added the Bearer token to the header of the request. Now, we can create some queries. First, let's start by retrieving secrets in Azure Key Vault. In Postman, add the following values and click Send:
- Request Type and URL: GET https://packtdataencryptionvault.vault.azure.net/secrets?api-version=7.0
- This will result in an output displaying all the secrets that are in the vault:
- To create a secret, select Body from the top menu in Postman and make sure that raw and JSON is selected:
- Then, add the following to create a secret:
- HTTP:
PUT {vaultBaseUrl}/secrets/crpsecret?api-version=7.0
-
- Request Body:
{ "value": "packtsecretvalue" }
-
- Response:
{
"value": "packtsecretvalue",
"id": "https://packtdataencryptionvault.vault.azure.net/secrets/crpsecret/78508744072e4d1ea9c780fd9c31ecd0",
"attributes": {
"enabled": true,
"created": 1570543118,
"updated": 1570543118,
"recoveryLevel": "Purgeable"
}
}
- To delete the secret, add the following:
- HTTP:
DELETE {vaultBaseUrl}/secrets/crpsecret?api-version=7.0
-
- Response:
{
"id": "https://packtdataencryptionvault.vault.azure.net/secrets/crpsecret/41fa843e28104c9bbed7d6f89baf5390",
"attributes": {
"enabled": true,
"created": 1570543575,
"updated": 1570543575,
"recoveryLevel": "Purgeable"
}
}
- To create a key, add the following to Postman:
- HTTP:
POST {vaultBaseUrl}/keys/CreateSoftKeyTest/create?api-version=7.0
-
- Request Body:
{
"kty": "RSA",
"key_size": 2048,
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"attributes": {},
"tags": {
"purpose": "unit test",
"test name ": "CreateGetDeleteKeyTest"
}
}
-
- Response:
{
"key": {
"kid": "https://packtdataencryptionvault.vault.azure.net/keys/CreateSoftKeyTest/66c103e3dd1c4cff8f86b9221c9c8419",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"n": "rJqJLUORU_jz1Yvt4CJt49VJ7VwIGcYQ5SF6ioegtUSZqX7thAKR-2e294tQPm68rtH1yxtzSinj2b6tJUtKWULOoxvh0FoV_ppR1PXEQckfy-Xlcd8M0AwjZ9xvHnsBv3DV2dyjf4z4aXmP2y7V7EGwJ__KtG-PDYPKS5sKTKmOkFTDLV8V0OJVQ0dNtuSstqIcTMiSEH27SWMKqwk0UyodneMEOrYNNMC-H5Jpm5mmexzi7j1w6jgjVGsJDrCGe6io1USzbLB7Y4NK1_kJ_OyV5d5qxAOfGWtX6X1g6kJUWR8pc2Q0oaGhEpj5ksTIhIcDlJ2ZriaLyrI9KemIyQ",
"e": "AQAB"
},
"attributes": {
"enabled": true,
"created": 1570544847,
"updated": 1570544847,
"recoveryLevel": "Purgeable"
},
"tags": {
"purpose": "unit test",
"test name ": "CreateGetDeleteKeyTest"
}
}
- To delete a key, add the following to Postman:
- HTTP:
DELETE {vaultBaseUrl}/keys/CreateSoftKeyTest?api-version=7.0
-
- Response:
{
"key": {
"kid": "https://packtdataencryptionvault.vault.azure.net/keys/CreateSoftKeyTest/e9d35e5432ad4da48239f725af90b733",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"n": "p8YP98mvABmPFEGwxLw-WdyouR7DiG9prJ5t4KLLDEq9uXpRnZMmnq2zmN2-XL333Hpj6wzJpmu5mM1LtgiUnAZMcYjx-RSXyTk1ftdC50ahNrUwBIcqVG8M3hfrC-JbVd2d0RCfusMHpcU1S8HgRe2cUZ-h4yeo5PVFy0MrkKXRtVVj-qnKB1tMPbCDVxboTYEvMQxKP8YqHnxaMMDwySgFjLa3UCJMj1zyI5fI-dCjLGYSSeeO_e19jn2DoWro83VQG0I-K7uBj1qf82_D38xIIBc7qEFth_7dTj87hW0DkXnpa-63jycU69rSS5PlsZXiUjfltwT8Y13yFFGqfQ",
"e": "AQAB"
},
"attributes": {
"enabled": true,
"created": 1570545206,
"updated": 1570545206,
"recoveryLevel": "Purgeable"
},
"tags": {
"purpose": "unit test",
"test name ": "CreateGetDeleteKeyTest"
}
}
- To create a certificate, add the following:
- HTTP:
POST {vaultBaseUrl}/certificates/selfSignedCert01/create?api-version=7.0
-
- Body:
{
"policy": {
"key_props": {
"exportable": true,
"kty": "RSA",
"key_size": 2048,
"reuse_key": false
},
"secret_props": {
"contentType": "application/x-pkcs12"
},
"x509_props": {
"subject": "CN=*.sjoukjezaal.com",
"sans": {
"dns_names": [
"test.sjoukjezaal.com",
]
}
},
"issuer": {
"name": "Self"
}
}
}
-
- Response:
{
"id": "https://packtdataencryptionvault.vault.azure.net/certificates/selfSignedCert01/pending",
"issuer": {
"name": "Self"
},
"csr": "MIICzTCCAbUCAQAwHDEaMBgGA1UEAwwRKi5zam91a2plemFhbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwQvaRmmInr85fNLPoOU0wkbAhr2H/56h1g+zfXuILtUtQgG9OGXYPewWGYek7Ej0KnGinuDTlE06q0RlmLlFs1CbeFWKlTJ8J1Vnv0kzZM71mBGf7fDelBtvxpK2q1tCXWv3HokkMkhBJPZZWSd4cyGSGG9kNkcS2cmEHtIAlP9O834URB0ZQI0ksFegxgeVulKP3umS//0SSWsfJVgkeaM5DRTujnThUxkHXsJI9P9Wc8R6OoQxsnz8e2KQlFLamLM6iCz57FlwinCbU9E5IZp19N9WwpGxEiJS7Qj6Ib/8tt9+Vh+bnSzM6kOY3/xn3tVF8LvoCmIS728KZEjSPAgMBAAGgbDBqBgkqhkiG9w0BCQ4xXTBbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0RBBgwFoIUdGVzdC5zam91a2plemFhbC5jb20wCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAK2vrug9pjPmz94zRVc6eD9PNwUmDvnBoffuVl7lKjIuqvuvaEeB40C3TmD38+0oHEVSoX0GEjJxt+NNlyHP5wkkkbO14otqAO5Gl5/euMTr1hwgJVPQojlEOP8uOf4kIDQp6sVDBwmMLnQrhWzrBAir1Rqcpeh/WB2Yt8E/VVsgLCnA9CwSmEwEX+HqJOm25KN28Bs9HiGk9NeQhUEWNfXNHRo46SF63K0/qfXgIZw/R19ljhBoBOWjJ2/itAM1mqxfjO1N7Qf5pFhL0+ChD0/eFYiKX1r8Abem22ohvND3Lc8IY2vH4LpZj7LjGk0IEO+Kog6A3JvC+bKi+nwiOCw==",
"cancellation_requested": false,
"status": "inProgress",
"status_details": "Pending certificate created. Certificate request is in progress. This may take some time based on the issuer provider. Please check again later.",
"request_id": "133c0973768b4fdda836b85b7d50cf41"
}
- For this last request, I needed to add more permissions to the service principal in the Key Vault. Therefore, go to the Azure portal and navigate to the Key Vault overview blade. In the left menu, select Access Policies. There, you can add and remove the required permissions:
In this demonstration, we covered how to use the Key Vault API to create, update, and delete keys, secrets, and more. This concludes this chapter.