Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I store JSON in a Azure Key Vault

I have some JSON that I want to store in Azure Key Vault.

The data is not hierarchical just like this:

{
  "type": "XXXXXX",
  "project_id": "XXXXXX",
  "private_key_id": "XXXXXXXX"
}

But I have 4 sets of JSON Data and there are about secrets in each one, so I am hoping that I do not have to break these out into separate keys, but if I must I will do this.

like image 839
Bryan Schmiedeler Avatar asked Jan 02 '19 15:01

Bryan Schmiedeler


People also ask

What can be stored in Azure key vault?

Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets.

Can you store files in Azure key vault?

To store any text file in AzureKeyVault secret Set-AzureKeyVaultSecret cmdlet shall be used and contents of the file shall be passed as SecureString to SecretValue parameter. To retrieve it we can use help of PSCredentialObject to convert securestring to plaintext and save it as a file.

What is JSON file in Azure?

| Jan 5, 2017. In this post, I will introduce you to the syntax of an Azure JSON (JavaScript Object Notation) file, a template that you can use to quickly deploy a repeatable solution in Microsoft Azure.

How does Azure Store key Vault data?

Steps. Open the properties of your data factory and copy the Managed Identity Application ID value. Open the key vault access policies and add the managed identity permissions to Get and List secrets. Click Add, then click Save.


2 Answers

Consider this to be a valid statement to add a secret to an Azure Key Vault using the Azure CLI:

az keyvault secret set --vault-name "<YourKeyVaultName>" --name "AppSecret" --value "MySecret", taken from Tutorial: Use Azure Key Vault with an Azure web app in .NET

Building on this, I do not see any reason the value MySecret couldn't be a JSON string.

Investigating a bit further, have a look at About keys, secrets, and certificates - Key Vault secrets:

From a developer's perspective, Key Vault APIs accept and return secret values as strings. Internally, Key Vault stores and manages secrets as sequences of octets (8-bit bytes), with a maximum size of 25k bytes each.

So as long as your JSON is under the 25k limit, you should be good to go.

like image 95
rickvdbosch Avatar answered Sep 23 '22 06:09

rickvdbosch


The trick is to properly escape the quotes (\`" = backslash, backtick & double quote) on the PowerShell command line in such a way as to satisfy both JSON and PowerShell formats for escaping quotes. Here is an example of how you would add your JSON string as the secret's value. Note the text in the --value has a \`" escape sequence for every quote that needs escaping. PowerShell needs the backtick to escape the double quote on the command line. A JSON string needs the backslash to escape a double quote. So, you get the backtick placed in-between the backslash and double quote (\`") thus satisfying both PowerShell and JSON:

az keyvault secret set `
   --vault-name "<YourKeyVaultName>" `
   --name "AppSecret" `
   --description "An optional description" `
   --disabled false `
   --value "{\`"type\`":\`"XXXXXX\`",\`"project_id\`":\`"XXXXXX\`",\`"private_key_id\`":\`"XXXXXXXX\`"}"
like image 32
Al Dass Avatar answered Sep 23 '22 06:09

Al Dass