23

How can I store my key pair (typically the id_rsa and id_rsa.pub) in azure key vault. I want to put the public key in my GIT service and allow a virtual machine to download the private key from Azure key vault -> So that it can access GIT securely.

I tried making a pair of PEM files and combining them into a pfx and uploading that as a secret bu the file I get back appears to be completely different to either pem file.

I also tried manually inputting my secret key into Azure but it turns the newlines into spaces.

MercilessMaverick
  • 387
  • 1
  • 2
  • 7

3 Answers3

37

You could use Azure CLI to upload id_rsa to Azure Key Vault. 

azure keyvault secret set --name shui --vault-name shui --file ~/.ssh/id_rsa

You could use -h to get help.

--file <file-name>                 the file that contains the secret value to be uploaded; cannot be used along with the --value or --json-value flag

You could also download secret from key vault.

az keyvault secret download --name shui --vault-name shui --file ~/.ssh/id_rsa

I compare the keys on my lab. They are same.

jsturtevant
  • 103
  • 3
Shui shengbao
  • 3,503
  • 1
  • 10
  • 20
  • I really appreciate all your answers here, thx! – Reaces May 04 '17 at 07:39
  • @Reaces I am glad to know my answer is helpful to you. – Shui shengbao May 04 '17 at 07:48
  • Sorry, I'm not the OP, I just read this and tested it and filed it away as useful knowledge and felt I owed you a vote up + comment :). Apologies for the confusion. – Reaces May 04 '17 at 12:02
  • >Sorry, I'm not the OP, I just read this and tested it and filed it away as useful knowledge and felt I owed you a vote up + comment :) Sounds funny. So friendly community. – Net Runner May 04 '17 at 14:04
  • I'm OP, thanks a lot Walter! I couldn't get the native CLI to work but did it through Python. Was able to log in, store my key and retrieve it. The -h tip was really helpful because it shows much more information than when you just get something wrong – MercilessMaverick May 04 '17 at 14:41
  • what are the `-u` and `-s` flags? I don't see them on `azure-cli (2.0.14)` – s g Oct 23 '17 at 23:50
  • @sg Hi, you use cli 1.0? -u vault name -s secret name. – Shui shengbao Oct 24 '17 at 02:44
  • 2
    FYI, following is proper ways to get secret `get` does not work anymore. `az keyvault secret download --name --vault-name --file ` – Gregory Suvalian Jan 03 '18 at 01:06
  • The azure command line tool (in Python) is az NOT azure. So the command above needs to have azure replaced with az. The second command's syntax is correct. – Frederick Ollinger Aug 08 '22 at 19:58
19

The previous answer by Shengbao Shui shows the command to store a secret using the Azure CLI 1.0 (Node). For Azure CLI 2.0 (Python) use the following syntax:

Set / Store Key:

az keyvault secret set --vault-name 'myvault' -n 'secret-name' -f '~/.ssh/id_rsa'

Arguments:

Arguments
    --name -n    [Required]: Name of the secret.
    --vault-name [Required]: Name of the key vault.
    --description          : Description of the secret contents (e.g. password, connection string,
                             etc).
    --disabled             : Create secret in disabled state.  Allowed values: false, true.
    --expires              : Expiration UTC datetime  (Y-m-d'T'H:M:S'Z').
    --not-before           : Key not usable before the provided UTC datetime  (Y-m-d'T'H:M:S'Z').
    --tags                 : Space-separated tags in 'key[=value]' format. Use '' to clear existing
                             tags.

Content Source Arguments
    --encoding -e          : Source file encoding. The value is saved as a tag (`file-
                             encoding=<val>`) and used during download to automatically encode the
                             resulting file.  Allowed values: ascii, base64, hex, utf-16be,
                             utf-16le, utf-8.  Default: utf-8.
    --file -f              : Source file for secret. Use in conjunction with '--encoding'.
    --value                : Plain text secret value. Cannot be used with '--file' or '--encoding'.

Global Arguments
    --debug                : Increase logging verbosity to show all debug logs.
    --help -h              : Show this help message and exit.
    --output -o            : Output format.  Allowed values: json, jsonc, table, tsv.  Default:
                             json.
    --query                : JMESPath query string. See http://jmespath.org/ for more information
                             and examples.
    --verbose              : Increase logging verbosity. Use --debug for full debug logs.

Retrieve / Get Key:

Save the key to a file ~/.ssh/mykey using the jq utility.

az keyvault secret show --vault-name myvault --name 'secret-name' | jq -r .value > ~/.ssh/mykey

Files may print with a trailing newline, which you can remove with a perl one-liner:

perl -pi -e 'chomp if eof' ~/.ssh/mykey

# Set permissions to user-read only
chmod 600 ~/.ssh/mykey

Generate the public key from the private key file...

ssh-keygen -y -f ~/.ssh/myfile > ~/.ssh/myfile.pub
Highway of Life
  • 496
  • 1
  • 7
  • 14
0

If we want to store the ssh key in KeyVault in ASCII Encoded format then we can use the below command. $az keyvault secret set –-vault-name <KEY_VAULT_NAME> -–name <NAME_OF_THE_KEY> –-file <PATH_OF_THE_SSH_KEY_FILE> -–encoding ascii

chiru
  • 101