Storing arbitrary text file in Azure Key Vault as secrets (SSH keys, CER files etc)

Azure KeyVault provides auditable, RBAC controlled access to Azure primitive like secrets which by default usually a simple string consisting of password or connection string and similar.

It’s possible to store complete text files in secrets which is useful if you want to store SSH keys and such and still have all the benefits of Azure Key Vault.

Powershell way

To store any text file in AzureKeyVault secret Set-AzureKeyVaultSecret cmdlet shall be used and contents of the file shall be passed as SecureString to SecretValue parameter.

For example following powershell script will store file rootCA.cer file as secret in Vault

PS C:\> Set-AzureKeyVaultSecret -VaultName MyKeyVault -SecretName rootca -SecretValue (ConvertTo-SecureString (Get-Content C:\test\rootCA.cer -Raw) -force -AsPlainText )
Vault Name : mykeyvault
Name : rootca
Version : df87dbdf504045c298b3897ba55d3dbc
Id : https://mykeyvault.vault.azure.net:443/secrets/rootca/df87dbdf504045c298b3897ba55d3dbc
Enabled : True
Expires :
Not Before :
Created : 1/4/2018 3:19:38 PM
Updated : 1/4/2018 3:19:38 PM
Content Type :
Tags :

view raw
gistfile1.txt
hosted with ❤ by GitHub

To retrieve it we can use help of PSCredentialObject to convert securestring to plaintext and save it as a file.

PS C:\> [PSCredential]::new("user",(Get-AzureKeyVaultSecret -Name rootca -VaultName MyKeyVault).SecretValue).GetNetworkCredential().Password
—–BEGIN CERTIFICATE—–
MIIFADCCAuigAwIBAgIQS0Dm+q1kmqxBMcvB49AJlTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQD
DA9Eb2NrZXIgVExTIFJvb3QwHhcNMTgwMTA0MDExMjE3WhcNMzgwMTA0MDEyMjE2WjAaMRgwFgYD
VQQDDA9Eb2NrZXIgVExTIFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDqxthQ
ZPxJY821/07C2W9d4Mg1mRf2lQmLhIbApGKsHa07rS4BusZ5qKrcP4I0xMY7wNFFyJIYC8oesKTC
WZf9OhttIxCWA04RXkz0ISKMSAspUR1YBFsvAdHFVvt348y3aa1hmO6OXyqYlR3yms5A8hF8QpOQ
+/hSaQ4MlfRwU8W6PNfV6SEzv7fGu0ZmZc+Wi7pHLrzIeLvGwkoEXJIQupe22h5GqkirZ501RvBB
4SQkG5SHaKMTf5FpYr52C5B9bw7fh0KFXCDER6BD3sZCdv2Fz90yp37fwBBz60DhTrAcXetu6JSn
FaB6GqtIg1G4ytQJnzcaOgq2YHeRaIuqzy5HuioQ9Dz32j4vUwNFD0rgF2/NaZAeVVK30XggB1+7
+V2KpUPi2z9LZ/b5MktmdYdWLw+ShGSs4mUwESvWWPWo2ljAKm+01LmnwKEquVI/oXGLMiTFW6QP
RLqKtTMHsJsEZsFueLGxoDaBKXTGvIYtjSQa9u3Wt1o2Ebaq+aNRDAHpoxU/4EEC4SotMyr2CFMW
TxGDf589JBs8K02dJhfvFiBIiuAwpSS7+C3qGfnQKBXMGdyrZTrJfSwaSLKPy8VmWvChZF5l3oLF
DR+I1G5fahDIFP1jcJJKIfX7sUvaouCLAZioR9t/q+BqzLmdxsslWIe4+vnQeSX55NA8EQIDAQAB
o0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU9AGt3fSrJxjZ
o44YJklXcyMv5pYwDQYJKoZIhvcNAQELBQADggIBAKFJzSBtwpBaRzXfuT0OLBz5tX9VHppuc8H7
Pmiv1NELAFa5Nwi0G/eQptB3etJzu8+gnH7SZoPaZjnqbLYgk4T1o1xrSKEwGJMqjD7PLsJqo8O1
6fx6A8opH0hmh0qlvH3nSegjq/bmP8gKQTPHoCyAsbRGekUj7KdXqVsGYIClRVJEU49UK78a4aiI
N/x0KMMY+dL8aZA3dKpqSqpkS/DWlNewiKe37/og2+pqYDZnCcd3N7IWThY+iFnuFQbOvsK+ipje
dyzXt9dL3NSx/ZHT1L54ttL7LYfLKyk5yV63p+DONiVqppSnEZRMqXfJbWMFPjL73vEQpXFiq9CH
tKTfmD+6YxjWuZ4BklF2Dry/2F7jXCd9HXp1wrm/sPg1Lr4SfU39kN1vZkVwWJGFOYXCInd7tpPn
Tjw6X2SK7VDaSH4WJAuSKtPzFSxoK1LWdLedv2OWkf/h3vJCQ3r3yBvHCoX4ghm6n8uYeXeDLjhI
p8KutuHENIr5ih+oq01mx9VEOaTVDDpiowB87LICFzyfuHVSB/nOZ+QoxCxXE7fZB+YpqP8aCyLb
N7MCeVnOnAGzNlDiom1qgJxZIR/WUyXfQNEh4rLjI9w72rxw0aQG27+pM/4EYV3uem8J+i3OVTCL
5BdmEo40rzK4JAYNsMUdgVlfDYbuGJOkfAJeDmq7
—–END CERTIFICATE—–

view raw
gistfile1.txt
hosted with ❤ by GitHub

You can save it then to file system and have identical certificate to then one which is uploaded

[PSCredential]::new(“user”,(Get-AzureKeyVaultSecret -Name rootca -VaultName MyKeyVault).SecretValue).GetNetworkCredential().Password | out-file ‘c:\test\retrieved.cer’ -Encoding utf8

Azure CLI way

Somewhat easier way to perform entire manipulation can be done with Azure CLI

To upload secret

PS C:\> az keyvault secret set –name rootca –vault-name mykeyvault –file C:\test\rootCA.cer
{
"attributes": {
"created": "2018-01-04T15:43:18+00:00",
"enabled": true,
"expires": null,
"notBefore": null,
"recoveryLevel": "Purgeable",
"updated": "2018-01-04T15:43:18+00:00"
},
"contentType": null,
"id": "https://mykeyvault.vault.azure.net/secrets/rootca/68b70f7caa074f54b10d7dba2ff52e9e",
"kid": null,
"managed": null,
"tags": {
"file-encoding": "utf-8"
},
"value": "—–BEGIN CERTIFICATE—–\nMIIFADCCAuigAwIBAgIQS0Dm+q1kmqxBMcvB49AJlTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQD\nDA9Eb2NrZXIgVExTIFJvb3QwHhcNMTgwMTA0MDExMjE3WhcNMzgwMTA0MDEyMjE2WjAaMRgwFgYD\nVQQDDA9Eb2NrZXIgVExTIFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDqxthQ\nZPxJY821/07C2W9d4Mg1mRf2lQmLhIbApGKsHa07rS4BusZ5qKrcP4I0xMY7wNFFyJIYC8oesKTC\nWZf9OhttIxCWA04RXkz0ISKMSAspUR1YBFsvAdHFVvt348y3aR1hmO6OXyqYlR3yms5A8hF8QpOQ\n+/hSaQ4MlfRwU8W6PNfV6SEzv7fGu0ZmZc+Wi7pHLrzIeLvGwkoEXJIQupe22h5GqkirZ501RvBB\n4SQkG5SHaKMTf5FpYr52C5B9bw7fh0KFXCDER6BD3sZCdv2Fz90yp37fwBBz60DhTrAcXetu6JSn\nFaB6GqtIg1G4ytQJnzcaOgq2YHeRaIuqzy5HuioQ9Dz32j4vUwNFD0rgF2/NaZAeVVK30XggB1+7\n+V2KpUPi2z9LZ/b5MktmdYdWLw+ShGSs4mUwESvWWPWo2ljAKm+01LmnwKEquVI/oXGLMiTFW6QP\nRLqKtTMHsJsEZsFueLGxoDaBKXTGvIYtjSQa9u3Wt1o2Ebaq+aNRDAHpoxU/4EEC4SotMyr2CFMW\nTxGDf589JBs8K02dJhfvFiBIiuAwpSS7+C3qGfnQKBXMGdyrZTrJfSwaSLKPy8VmWvChZF5l3oLF\nDR+I1G5fahDIFP1jcJJKIfX7sUvaouCLAZioR9t/q+BqzLmdxsslWIe4+vnQeSX55NA8EQIDAQAB\no0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU9AGt3fSrJxjZ\no44YJklXcyMv5pYwDQYJKoZIhvcNAQELBQADggIBAKFJzSBtwpBaRzXfuT0OLBz5tX9VHppuc8H7\nPmiv1NELAFa5Nwi0G/eQptB3etJzu8+gnH7SZoPaZjnqbLYgk4T1o1xrSKEwGJMqjD7PLsJqo8O1\n6fx6A8opH0hmh0qlvH3nSegjq/bmP8gKQTPHoCyAsbRGekUj7KdXqVsGYIClRVJEU49UK78a4aiI\nN/x0KMMY+dL8aZA3dKpqSqpkS/DWlNewiKe37/og2+pqYDZnCcd3N7IWThY+iFnuFQbOvsK+ipje\ndyzXt9dL3NSx/ZHT1L54ttL7LYfLKyk5yV63p+DONiVqppSnEZRMqXfJbWMFPjL73vEQpXFiq9CH\ntKTfmD+6YxjWuZ4BklF2Dry/2F7jXCd9HXp1wrm/sPg1Lr4SfU39kN1vZkVwWJGFOYXCInd7tpPn\nTjw6X2SK7VDaSH4WJAuSKtPzFSxoK1LWdLedv2OWkf/h3vJCQ3r3yBvHCoX4ghm6n8uYeXeDLjhI\np8KutuHENIr5ih+oq01mx9VEOaTVDDpiowB87LICFzyfuHVSB/nOZ+QoxCxXE7fZB+YpqP8aCyLb\nN7MCeVnOnAGzNlDiom1qgJxZIR/WUyXfQNEh4rLjI9w72rxw0aQG27+pM/4EYV3uem8J+i3OVTCL\n5BdmEo40rzK4JAYNsMUdgVlfDYbuGJOkfAJeDmq7\n—–END CERTIFICATE—–\n"
}

view raw
gistfile1.txt
hosted with ❤ by GitHub

To download secret

PS C:\>az keyvault secret download –name rootca –vault-name mykeyvault –file C:\test\retrieved.cer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s