8

I have some JSON that I want to store in Azure Key Vault.

The data is not hierarchical just like this:

{
  "type": "XXXXXX",
  "project_id": "XXXXXX",
  "private_key_id": "XXXXXXXX"
}

But I have 4 sets of JSON Data and there are about secrets in each one, so I am hoping that I do not have to break these out into separate keys, but if I must I will do this.

Bryan Schmiedeler
  • 2,977
  • 6
  • 35
  • 74

3 Answers3

7

Consider this to be a valid statement to add a secret to an Azure Key Vault using the Azure CLI:

az keyvault secret set --vault-name "<YourKeyVaultName>" --name "AppSecret" --value "MySecret", taken from Tutorial: Use Azure Key Vault with an Azure web app in .NET

Building on this, I do not see any reason the value MySecret couldn't be a JSON string.

Investigating a bit further, have a look at About keys, secrets, and certificates - Key Vault secrets:

From a developer's perspective, Key Vault APIs accept and return secret values as strings. Internally, Key Vault stores and manages secrets as sequences of octets (8-bit bytes), with a maximum size of 25k bytes each.

So as long as your JSON is under the 25k limit, you should be good to go.

rickvdbosch
  • 14,105
  • 2
  • 40
  • 53
  • 1
    @rickvdbosh can we have an example of that for example "OktaConfig": { "OktaDomain": "test", "ClientId": "test", "ClientSecret": "test", "redirectUrl": "test" } – San Jaisy Oct 07 '19 at 07:23
6

The trick is to properly escape the quotes (\`" = backslash, backtick & double quote) on the PowerShell command line in such a way as to satisfy both JSON and PowerShell formats for escaping quotes. Here is an example of how you would add your JSON string as the secret's value. Note the text in the --value has a \`" escape sequence for every quote that needs escaping. PowerShell needs the backtick to escape the double quote on the command line. A JSON string needs the backslash to escape a double quote. So, you get the backtick placed in-between the backslash and double quote (\`") thus satisfying both PowerShell and JSON:

az keyvault secret set `
   --vault-name "<YourKeyVaultName>" `
   --name "AppSecret" `
   --description "An optional description" `
   --disabled false `
   --value "{\`"type\`":\`"XXXXXX\`",\`"project_id\`":\`"XXXXXX\`",\`"private_key_id\`":\`"XXXXXXXX\`"}"
Al Dass
  • 831
  • 15
  • 23
0

I solved this (as I was already getting the config from file) by using the --file argument instead. It saves the JSON exactly as it is in the file.

az keyvault secret set --name "<SecretKeyName>" --vault-name "<KeyVaultName>" --file "<RelativeFilePath>"
SEMICS
  • 181
  • 3
  • 5