25

How can I store my key pair (typically the id_rsa and id_rsa.pub) in azure key vault. I want to put the public key in my GIT service and allow a virtual machine to download the private key from Azure key vault -> So that it can access GIT securely.

I tried making a pair of PEM files and combining them into a pfx and uploading that as a secret bu the file I get back appears to be completely different to either pem file.

I also tried manually inputting my secret key into Azure but it turns the newlines into spaces.

Improve this question
0

3 Answers 3

Reset to default
41

You could use Azure CLI to upload id_rsa to Azure Key Vault. 

azure keyvault secret set --name shui --vault-name shui --file ~/.ssh/id_rsa

You could use -h to get help.

--file <file-name> the file that contains the secret value to be uploaded; cannot be used along with the --value or --json-value flag

You could also download secret from key vault.

az keyvault secret download --name shui --vault-name shui --file ~/.ssh/id_rsa

I compare the keys on my lab. They are same.

Improve this answer
7
  • Sorry, I'm not the OP, I just read this and tested it and filed it away as useful knowledge and felt I owed you a vote up + comment :). Apologies for the confusion. Commented May 4, 2017 at 12:02
  • >Sorry, I'm not the OP, I just read this and tested it and filed it away as useful knowledge and felt I owed you a vote up + comment :) Sounds funny. So friendly community. Commented May 4, 2017 at 14:04
  • I'm OP, thanks a lot Walter! I couldn't get the native CLI to work but did it through Python. Was able to log in, store my key and retrieve it. The -h tip was really helpful because it shows much more information than when you just get something wrong Commented May 4, 2017 at 14:41
  • what are the -u and -s flags? I don't see them on azure-cli (2.0.14) Commented Oct 23, 2017 at 23:50
  • 2
    FYI, following is proper ways to get secret get does not work anymore. az keyvault secret download --name <KeyNameHere> --vault-name <vaultNamehere> --file <filename here> Commented Jan 3, 2018 at 1:06
21

The previous answer by Shengbao Shui shows the command to store a secret using the Azure CLI 1.0 (Node). For Azure CLI 2.0 (Python) use the following syntax:

Set / Store Key:

az keyvault secret set --vault-name 'myvault' -n 'secret-name' -f '~/.ssh/id_rsa'

Arguments:

Arguments --name -n [Required]: Name of the secret. --vault-name [Required]: Name of the key vault. --description : Description of the secret contents (e.g. password, connection string, etc). --disabled : Create secret in disabled state. Allowed values: false, true. --expires : Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). --not-before : Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z'). --tags : Space-separated tags in 'key[=value]' format. Use '' to clear existing tags. Content Source Arguments --encoding -e : Source file encoding. The value is saved as a tag (`file- encoding=<val>`) and used during download to automatically encode the resulting file. Allowed values: ascii, base64, hex, utf-16be, utf-16le, utf-8. Default: utf-8. --file -f : Source file for secret. Use in conjunction with '--encoding'. --value : Plain text secret value. Cannot be used with '--file' or '--encoding'. Global Arguments --debug : Increase logging verbosity to show all debug logs. --help -h : Show this help message and exit. --output -o : Output format. Allowed values: json, jsonc, table, tsv. Default: json. --query : JMESPath query string. See http://jmespath.org/ for more information and examples. --verbose : Increase logging verbosity. Use --debug for full debug logs.

Retrieve / Get Key:

Save the key to a file ~/.ssh/mykey using the jq utility.

az keyvault secret show --vault-name myvault --name 'secret-name' | jq -r .value > ~/.ssh/mykey

Files may print with a trailing newline, which you can remove with a perl one-liner:

perl -pi -e 'chomp if eof' ~/.ssh/mykey # Set permissions to user-read only chmod 600 ~/.ssh/mykey

Generate the public key from the private key file...

ssh-keygen -y -f ~/.ssh/myfile > ~/.ssh/myfile.pub
Improve this answer
1
  • You can combine the built-in jmespath --query option of az with the -o tsv option to output the key without requiring jq: az keyvault secret show --vault-name myvault --name 'secret-name' --query "value" -o tsv > ~/.ssh/mykey Commented Jan 25, 2024 at 5:05
0

If we want to store the ssh key in KeyVault in ASCII Encoded format then we can use the below command. $az keyvault secret set –-vault-name <KEY_VAULT_NAME> -–name <NAME_OF_THE_KEY> –-file <PATH_OF_THE_SSH_KEY_FILE> -–encoding ascii

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.