Putting RSA keys into azure key vault
Solution 1
You could use Azure CLI to upload id_rsa
to Azure Key Vault.
azure keyvault secret set --name shui --vault-name shui --file ~/.ssh/id_rsa
You could use -h
to get help.
--file <file-name> the file that contains the secret value to be uploaded; cannot be used along with the --value or --json-value flag
You could also download secret from key vault.
az keyvault secret download --name shui --vault-name shui --file ~/.ssh/id_rsa
I compare the keys on my lab. They are same.
Solution 2
The previous answer by Shengbao Shui shows the command to store a secret using the Azure CLI 1.0 (Node). For Azure CLI 2.0 (Python) use the following syntax:
Set / Store Key:
az keyvault secret set --vault-name 'myvault' -n 'secret-name' -f '~/.ssh/id_rsa'
Arguments:
Arguments
--name -n [Required]: Name of the secret.
--vault-name [Required]: Name of the key vault.
--description : Description of the secret contents (e.g. password, connection string,
etc).
--disabled : Create secret in disabled state. Allowed values: false, true.
--expires : Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
--not-before : Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
--tags : Space-separated tags in 'key[=value]' format. Use '' to clear existing
tags.
Content Source Arguments
--encoding -e : Source file encoding. The value is saved as a tag (`file-
encoding=<val>`) and used during download to automatically encode the
resulting file. Allowed values: ascii, base64, hex, utf-16be,
utf-16le, utf-8. Default: utf-8.
--file -f : Source file for secret. Use in conjunction with '--encoding'.
--value : Plain text secret value. Cannot be used with '--file' or '--encoding'.
Global Arguments
--debug : Increase logging verbosity to show all debug logs.
--help -h : Show this help message and exit.
--output -o : Output format. Allowed values: json, jsonc, table, tsv. Default:
json.
--query : JMESPath query string. See http://jmespath.org/ for more information
and examples.
--verbose : Increase logging verbosity. Use --debug for full debug logs.
Retrieve / Get Key:
Save the key to a file ~/.ssh/mykey
using the jq utility.
az keyvault secret show --vault-name myvault --name 'secret-name' | jq -r .value > ~/.ssh/mykey
Files may print with a trailing newline, which you can remove with a perl one-liner:
perl -pi -e 'chomp if eof' ~/.ssh/mykey
# Set permissions to user-read only
chmod 600 ~/.ssh/mykey
Generate the public key from the private key file...
ssh-keygen -y -f ~/.ssh/myfile > ~/.ssh/myfile.pub
Related videos on Youtube
MercilessMaverick
Updated on September 18, 2022Comments
-
MercilessMaverick over 1 year
How can I store my key pair (typically the id_rsa and id_rsa.pub) in azure key vault. I want to put the public key in my GIT service and allow a virtual machine to download the private key from Azure key vault -> So that it can access GIT securely.
I tried making a pair of PEM files and combining them into a pfx and uploading that as a secret bu the file I get back appears to be completely different to either pem file.
I also tried manually inputting my secret key into Azure but it turns the newlines into spaces.
-
Reaces about 7 yearsI really appreciate all your answers here, thx!
-
Shui shengbao about 7 years@Reaces I am glad to know my answer is helpful to you.
-
Reaces about 7 yearsSorry, I'm not the OP, I just read this and tested it and filed it away as useful knowledge and felt I owed you a vote up + comment :). Apologies for the confusion.
-
Net Runner about 7 years>Sorry, I'm not the OP, I just read this and tested it and filed it away as useful knowledge and felt I owed you a vote up + comment :) Sounds funny. So friendly community.
-
MercilessMaverick about 7 yearsI'm OP, thanks a lot Walter! I couldn't get the native CLI to work but did it through Python. Was able to log in, store my key and retrieve it. The -h tip was really helpful because it shows much more information than when you just get something wrong
-
Shui shengbao over 6 years@sg Hi, you use cli 1.0? -u vault name -s secret name.
-
Gregory Suvalian over 6 yearsFYI, following is proper ways to get secret
get
does not work anymore.az keyvault secret download --name <KeyNameHere> --vault-name <vaultNamehere> --file <filename here>