Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cannot set secret value in Azure Key Vault

I am trying to crete a "secret value" using Azure Key Vault. I am following a tutorial from Microsoft located here ... https://azure.microsoft.com/en-us/documentation/articles/key-vault-get-started/

I was able to create a Key Vault using ...

New-AzureRmKeyVault -VaultName 'MyKeyVaultName' -ResourceGroupName 'MyResourceGroup' -Location 'West US'

I can also verify it was created by using ...

Get-AzureRmKeyVault

I am able to create the secret value by using the following ...

$secretvalue = ConvertTo-SecureString 'Pa$$w0rd' -AsPlainText -Force

However when I try to set the key ...

$secret = Set-AzureKeyVaultSecret -VaultName 'MyKeyVaultName' -Name 'SQLPassword' -SecretValue $secretvalue

I get an error that says

Set-AzureKeyVaultSecret : Operation "set" is not allowed

I thought that I had gained all access to the Key Vault by creating it? Do I need to add specific permissions?

Here is a screen capture of the error from powershell enter image description here

like image 606
webworm Avatar asked Mar 17 '16 20:03

webworm


People also ask

Does not have secrets set permission on key vault Azure?

This error usually comes when application/user don't have permission to access the resource, Key-Vault in this case which is secured by Azure AD tenant. It seems the access policy has not been defined for security principal which can be application or user group to perform different operations on Key Vaults.

How do I update my Azure key vault secret?

You can only change secret attributes such as expiration date, activation date. You cannot change secret's value programatically or via Azure Portal. If you want to update your secret without creating a new vault (meaning the secret identifier still remains intact) you can create a new version of the existing secret.


2 Answers

Likely a permissions issue. Try the following:

Set-AzureRmKeyVaultAccessPolicy –VaultName ‘{your vault name}’ –UserPrincipalName ‘{your account email}’ –PermissionsToKeys all –PermissionsToSecrets all
like image 177
Lars Avatar answered Sep 23 '22 02:09

Lars


The problem you are having is that you are not creating a key to attach a secret to, You need to call Add-AzureKeyVaultKey to create that key. Like this...

$vault = Get-AzureRmKeyVault    

$secretvalue = ConvertTo-SecureString 'Pa$$w0rd' `
              -AsPlainText -Force  

$key = Add-AzureKeyVaultKey -VaultName $vault.VaultName `
              -Name Test01 `
              -Destination Software   

(Get-AzureKeyVaultSecret -VaultName $vault.VaultName `
              -Name test01).SecretValueText  

which returns

Pa$$w0rd

like image 44
Michael B Avatar answered Sep 24 '22 02:09

Michael B