azure::key-vault¶
Azure Key Vaults are managed using a combination of resource configuration and commands. Currently
azure::key-vault-certificate and azure::key-vault-secret are the entities that support commands.
Create an Azure Key Vault using the azure::key-vault resource. After the Key Vault is
created use the gyro azure key-vault command to manage certificates and secrets within the key vault.
See documentation below on how to create, add, or remove a certificate or secret from a key vault.
Example¶
azure::key-vault vault-example
resource-group: $(azure::resource-group resource-group-example-vault)
name: "key-vault-example"
enable-deployment: true
enable-template-deployment: true
enable-disk-encryption: true
enable-soft-delete: false
access-policy
key-permissions: ["get", "import", "list", "delete"]
certificate-permissions: ['get', 'update', 'create', 'list', 'delete', 'import', 'backup', 'recover', 'restore', 'setissuers', 'deleteissuers', 'purge', 'listissuers', 'getissuers', 'managecontacts', 'manageissuers']
secret-permissions: ["get"]
object-id: "e0afa33f-9882-4cdc-abb8-c613a8949f9e"
end
access-policy
key-permissions: ["get", "import", "list", "delete"]
certificate-permissions: ['get', 'update', 'create', 'list', 'delete', 'import', 'backup', 'recover', 'restore', 'setissuers', 'deleteissuers', 'purge', 'listissuers', 'getissuers', 'managecontacts', 'manageissuers']
secret-permissions: ["get"]
object-id: "b7d674a2-7e88-47af-b772-5d90b4bf965a"
end
tags: {
Name: "key-vault-examples"
}
end
Certificate Commands¶
The following set of commands allow you to manage certificates in a key vault. Before using these commands
you must have already created an azure::key-vault. The key vault must be managed by Gyro. Ensure a proper
access policy is added to the key vault for the service principal you are using.
Add Certificate
Adds a certificate to a key vault using your certificate file (.pfx). Access policy needed (Upload, Insert).
gyro azure key-vault add-certificate <vault-name> <cert-name> <path> --password <password>
vault-name- The name of the key-vault resource defined in your config where you want to create your certificate.cert-name- The name of the certificate that you want to create when you import the certificate file.cert-path- The path pointing to the certificate file to be uploaded. Only.pfxfiles are supported.password- An optional password if the certificate file was encrypted with one.
Remove Certificate
Remove a certificate from the key vault. Access policy needed (delete).
gyro azure key-vault remove-certificate <vault-name> <cert-name>
vault-name- The name of the key-vault resource defined in your config from which to remove the certificate.cert-name- The name of the certificate that you want to remove.
List Certificate
List certificates of a vault. Access policy needed (List).
gyro azure key-vault list-certificate <vault-name>
vault-name- The name of the key-vault resource defined in your config that you want to list certificates from.show-thumbprint- An option that shows the x509 thumbprint of the certificate.
Secret Commands¶
The following set of commands allow you to manage secrets in a key vault. Before using these commands
you must have already created an azure::key-vault. The key vault must be managed by Gyro. Ensure a proper
access policy is added to the key vault for the service principal you are using.
Add Secret
Adds a secret to a key vault. Access policy needed (Set, Get).
gyro azure key-vault add-secret <vault-name> <secret-name> <value> --content-type <content-type>
vault-name- The name of the key-vault resource defined in your config where you want to create your secret.secret-name- The name of the secret that you want to create.value- The secret value.content-type- An optional value specifying the content type of the secret.expires- An optional date time value value in UTC specifying the expiration time. Format ‘YYYY-MM-DDTHH:MM:SS.sssZ’.not-before- An optional date time value value in UTC specifying the expiration not before a specific time. Format ‘YYYY-MM-DDTHH:MM:SS.sssZ’.enabled- An optional value specifying if the secret is enable or disable the secret. Defaults to ‘false’.
Remove Secret
Remove a secret from the key vault. Access policy needed (delete).
gyro azure key-vault remove-secret <vault-name> <secret-name>
vault-name- The name of the key-vault resource defined in your config from which to remove the secret.secret-name- The name of the secret that you want to remove.
List Secret
List secrets of a vault. Access policy needed (List).
gyro azure key-vault list-secret <vault-name>
vault-name- The name of the key-vault resource defined in your config that you want to list secrets from.
Attributes¶
| Attribute | Description |
|---|---|
| name | The name of the key vault. (Required) |
| resource-group | The resource group under which the key vault would reside. (Required) |
| tags map | Tags for the key vault. |
| access-policy set subresource | A set of access policy configs for the key vault. See Access Policy.
|
| enable-deployment | When set to``true`` virtual machines are permitted to retrieve certificates stored as secrets from the key vault. |
| enable-template-deployment | When set to true resource managers are permitted to retrieve certificates stored as secrets from the key vault. |
| enable-disk-encryption | When set to true disk managers are permitted to retrieve certificates stored as secrets from the key vault and unwrap keys. |
| enable-purge-vault | When set to true purges the vault upon deletion to remove the key vault beyond recovery. If set to false vault would be deleted but could be recovered until 90 days. During this time no other vault with the same name can be created. |
| enable-soft-delete | When set to true enables soft delete for the key vault. |
| sku-tier | The SKU tier for the key vault. |
Outputs¶
| Attribute | Description |
|---|---|
| id | The ID of the key vault. |
| url | The URI of the key vault. |
| location | The location of the key vault. |