Skip to content

Instantly share code, notes, and snippets.

@maskati

maskati/#keyvault-private-add-secret.md

Created September 23, 2024 07:47
Show Gist options
  • Save maskati/0fe868f62dba0c13f7983ab98c0656d2 to your computer and use it in GitHub Desktop.
Save maskati/0fe868f62dba0c13f7983ab98c0656d2 to your computer and use it in GitHub Desktop.
Download ZIP
Add secrets to a private Key Vault from anywhere using the management plane
Raw
#keyvault-private-add-secret.md

Key Vault secrets can be set through:

There is a notable difference between these methods with regards to adhering to the Key Vault network security and access model configurations.

  • Key Vaults with network restrictions will verify data plane operations against network access rules, and you will not be able to add or update a secret from the public Internet to a private Key Vault.
  • Key Vaults authorized with access policies or Key Vault RBAC roles will restrict data plane operations according to those policies or roles and you will not be able to add or update a secret without permissions through policy or RBAC (e.g. Key Vault Secrets Officer).

These restrictions however do not apply to management plane operations, which is why you can deploy secrets to a private key vault in your Bicep or ARM templates without having any policy or Key Vault RBAC roles other than the resource write permission given for example through the built-in Contributor role.

We can make use of this to deploy secrets to a private Key Vault with RBAC access model without prepared Bicep or ARM templates and without assigning ourselves a Key Vault RBAC role. This can be done using the Azure CLI az resource create operation.

# create resource group and key vault for testing
$rg = az group create -l westeurope -n rg-keyvaultarm | convertfrom-json
$kv = az keyvault create -g $rg.name -l $rg.location `
  -n "kv-$([random]::shared.getitems((48..57+97..122|%{[char]$_}),6) -join '')" `
  --public-network-access disabled --bypass none --retention-days 7 | convertfrom-json

# set a secret using the data plane => this will fail
az keyvault secret set --vault-name $kv.name --name mykey --value mysecret

# set a secret using the arm management plane => this will succeed
az resource create -g $rg.name `
  --namespace Microsoft.KeyVault --parent "vaults/$($kv.name)" --resource-type secrets `
  --name mykey --properties '{\"value\":\"mysecret\"}' `
  --query properties.secretUriWithVersion -o tsv
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment