Configuring Azure KeyVault using ARM

In my previous blog post, I showed how to create an Azure Data Explorer cluster using the armclient command line tool. Today, I'll show how to configure an Azure KeyVault.

Azure KeyVault is Azure’s recommended way of keeping secrets, such as Certificates, Keys, and other sensitive information (such as passwords, API keys and tokens). With KeyVault, you can tightly control and monitor access to your secrets, auto-rotate certificates, and easily deploy your secrets to your applications.

A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates.

Azure KeyVault integrates with various other Azure services in order to provide the best user and developer experience. For example:

  • Deploy certificates into Virtual Machines (Scale Sets)
  • Encrypt data in Storage Accounts

Recently, as Microsoft introduced soft-deletion and purge protection for KeyVaults.

KeyVault Soft Delete

Key Vault’s soft delete feature allows recovery of the deleted vaults and vault objects, known as soft-delete. Specifically, to address the following scenarios:

  • Support for recoverable deletion of a key vault
  • Support for recoverable deletion of key vault objects (ex. keys, secrets, certificates)

KeyVault Purge Protection

When purge protection is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention policy will be followed.

Updating a KeyVault

By default, Azure KeyVaults doesn’t enable soft-delete enabled, nor purge protection. Unfortunately, at the moment of writing this article, you can’t configure these behaviors from the Azure Portal.

One easy way to do this, is to use the armclient command-line tool:

  1. First, what you need is an Azure subscription. If you don’t have an Azure subscription, create a free Azure account before you begin.
  2. Get the armclient tool from GitHub: https://github.com/projectkudu/ARMClient
  3. Login to your Azure subscription:
    armclient login
  4. Create a JSON file with the following content, and save it as myKeyVault.json:
    {
      "name": "myKeyVault",
      "type": "Microsoft.KeyVault/vaults",
      "location": "West US 2",
      "properties": {
        "enableSoftDelete": "false",
        "enablePurgeProtection": "true" 
      }
    }
  5. You can read about the exact details of each value in the reference documentation: https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/2018-02-14/vaults
  6. Perform a PATCH request using armclient to submit the JSON to ARM:
    armclient PATCH /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vault/myKeyvault?api-version=2018-02-14 @myKeyVault.json -verbose

If all goes well, you should get back a 200 OK response, and the details of the KeyVault resource, along with the updated changes.

Of course, you’re not limited to just soft-delete and purge protection with this method. You can update the access policies, as well as other properties of the vault.