1

I was created azure key vault through in the specified subscription. Followed this article,

https://learn.microsoft.com/en-us/rest/api/keyvault/keyvaultpreview/vaults/createorupdate#examples

And when the api called, azure vault created successfully. Now I also need to create a key for the created Key vault. Is it possible to create the key when the azure key vault creation?

Jinesh
  • 1,480
  • 2
  • 25
  • 52
  • You'll need to use the Key Vault API, Azure's ARM API can only create the vault. – juunas Jul 26 '18 at 10:51
  • Ok, is it possible to create the key at the time of azure key vault creation (not call separate api )? – Jinesh Jul 26 '18 at 10:58
  • No, you will have to make a separate call, though it can be automated as well. – juunas Jul 26 '18 at 10:59
  • Is need to set any permission in azure Key-vault for creating new key? – Jinesh Jul 27 '18 at 05:25
  • Yes, you will need to create an access policy in the key vault when you create it that allows your script to create keys :) – juunas Jul 27 '18 at 05:26
  • "accessPolicies": [ { "tenantId": "00000000-0000-0000-0000-000000000000", "objectId": "00000000-0000-0000-0000-000000000000", "permissions": { "keys": [ "encrypt", "decrypt", "wrapKey", "unwrapKey", "sign", "verify", "get", "list", "create", "update", "import", "delete", "backup", "restore", "recover", "purge" ], - – Jinesh Jul 27 '18 at 05:33
  • already created key vault with this access policies, but I get forbidden error. – Jinesh Jul 27 '18 at 05:35
  • The operation "List" is not enabled in this key vault's access policy.- this message shown in Keys section even after set permissions – Jinesh Jul 27 '18 at 05:48
  • Have you given your user access too? :) – juunas Jul 27 '18 at 05:55
  • Out of interest do you especially need to use the REST API directly? The SDKs / ARM templates provide this feature for you? – Alex KeySmith Jul 27 '18 at 21:25

1 Answers1

2

Is it possible to create the key when the azure key vault creation?

As juunas said, you need to make a separate call to achieve what you want.

I test it with the following code, it works correctly on my side. The resourceUri is https://vault.azure.net. For more details, you could refer to this SO thread.

In Key vault channel, you need to Add policies to your registered application or user. And in Access Control you need to add permission to your registered application or user.

enter image description here enter image description here

var appId = "0000000000000000000000000000000";
var secretKey = "******************************************";
var tenantId = "0000000000000000000000000000000";
var context = new AuthenticationContext("https://login.windows.net/" + tenantId);
ClientCredential clientCredential = new ClientCredential(appId, secretKey);
var tokenResponse = context.AcquireTokenAsync("https://vault.azure.net", clientCredential).Result;
var accessToken = tokenResponse.AccessToken;
using (var client = new HttpClient())
{
    client.DefaultRequestHeaders.Add("Authorization", "Bearer " + accessToken);
    var requestURl = "https://xxxxxx.vault.azure.net/keys/xxxx/create?api-version=2016-10-01";
    string body = "{\"kty\": \"RSA\"}";
    var stringContent = new StringContent(body, Encoding.UTF8, "application/json");
    var response = client.PostAsync(requestURl, stringContent).Result;
}

enter image description here

Joey Cai
  • 18,968
  • 1
  • 20
  • 30