Azure Key Vault
We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow
-
Per-secret/key/certificate access control
Currently it's an all or nothing model. To grant a user account or app id access to one secret, you have to grant it access to the entire vault (as far as I can tell). This eliminates the possibility of least privilege access to secrets. In this model, the only way to create security boundaries for individual secrets is to create additional key vaults, which could get out of control fast if we need one key vault per application per environment. A better model would be to have independent access controls on both the vault and the individual secrets.
For…
261 votes -
Secret Names do not support special characters
In order for our organization to fully adopt Azure Key Vault for managing passwords and secrets we need to be able to support at a minimum allowing _ (underscrores) and other special characters in the naming convention as we have hundreds of names that contain underscores in them such as account_test, account_prd, etc..
Reading through the documentation online I can't find any technical reason as to why special characters aren't supported but this is a show stopper at this point for us until this is added/supported.
82 votes -
Add support for PGP keys
Many of our vendors require us to send them files via SFTP using their public encryption keys most of which are PGP keys. As we start to migrate our Managed File Transfer service to Azure we'd like to leverage storing these keys in Azure Key Vault
10 votes -
Provide the ability to create multiple lines' secret(SSH private key) in azure portal
When I generate a manual type secret, it's impossible to save the multiple lines' secret(SSH private key) value, in fact, I think the input box should take text area as an option.
9 votes -
Add filtering and column sorting options to Keys, Secrets and Certificates
Background:
Is it just me, or is it really annoying that you can't write any filters or sort on columns in the Key Vault resource? We will have like 1500 keys when our projects reaches it's final stage, and the "Show more"-button is really not my best friend.
Suggestion:
Make the lists of Keys, Secrets and Certificates sortable on column name, and add a filter/search field to improve management when browsing the vault using Azure Portal.
To find a Secret in a long list it requires you to scroll down, and press "Load more" which is not convinient at all.
…
8 votes -
Auto Rotate Secrets on connected Resources
Microsoft docs highly recommends the keys/secrets/certificates to be rotated on regular interval for better security posture.
The rotation is only possible by writing powershell code and dont have luxury to write and maintain for every resource.
It would be great to have a feature in Key Vault to do that for us when a resource is connected. Resource could be PaaS SQL, Storage account, Azure Ad APP etc.
KeyVault talks about writing powershell code to recycle keys on storage account.
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-key-rotation-log-monitoring7 votes -
Ability to reference a secret without having to specify the secret version explicitly
Hi! Currently the only way to specify a KeyVault reference is to specify the version as well. Could this perhaps be changed to be able to reference a particular version by default (perhaps the newest one). This would really help in the case that a secret needs to be updated and a particular version is no longer valid. Currently I have to go back and change my secret, fetch the new secret version and update all the references accordingly. This gets really tedious when you have a lot of secrets to keep track of.
To make this clear:
Currently my…
6 votes -
Events when key or secrets are changed or updated in key vault
It’s important to know if keys / Secrets are updated in key vault so that necessary actions with consuming application can be taken when this occurs...
5 votes -
Full Backup and Restore
Currently, you can only back up each secret one at a time. I would like the ability to back all the secrets up and obviously, store them in an encrypted storage account or vault.
5 votes -
Portal experience for 'On-Boarding' a Storage Account Key / SAS Rotation
Portal experience for creating a Key Vault Managed Storage Account and/or for 'On-Boarding' a Storage Account into being managed by a given Key Vault Key
This is possible with PowerShell and AzureCLI (as described here: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-storage-key) but there is not portal experience for doing this.
Originally mentioned in this Github Issue:
https://github.com/MicrosoftDocs/azure-docs/issues/105554 votes -
manage permissions on an entry level
We are creating a solution where multiple services (backend servers from different departments, ...), will use key vault to retreive their access keys. It would be great to be able to give a backend service access to only the relevant entry (e.g. only to secret1 and certificate2).
The problem is, that a user that has access (to secrets for example), automatically has access to all secrets.In other words: Add access policies to secrets, keys and certificates
3 votes -
Allow secret versions to be deleted
You can create multiple versions for a given secret, however the api only allows a delete to be performed at the secret level and not for an individual version.
2 votes -
KeyVaultErrorException Error validating token: IDX10223 after changing timezone on laptop
KeyVaultErrorException Error validating token: IDX10223 after changing timezone on laptop
Fix exception after changing timezone on laptop. Or warn developers not to change timezones on business trip.
Went on business trip where I changed the timezone.
Everything worked fine.
Returned home and restored timezone.
.Net Core application stops working due to exception.Microsoft.Azure.KeyVault.Models.KeyVaultErrorException Error validating token: IDX10223
HResult=0x80131500
Message=Error validating token: IDX10223
Source=Microsoft.Azure.KeyVault1 vote -
Allow creation of "living" secrets that are linked to a resource and always returns an active key
As an alternative to rotating keys, it would be cool if you could create a key vault secret that was linked to a resource such as blob storage or cosmos db that uses keys for authentication, so that when you call the GET operation on that secret it can proxy the request to that resource's listkeys operation and automatically choose one. In this way, it would guarantee that any time you reach out to key vault for that secret, you would be sure to get an active key. For this to work, I expect Azure would need to associate a…
1 vote -
Add the Secret version GUID in the diagnostic logging output when a secret is created (SecretSet)
The diagnostic logging output for Key Vaults do not include the version GUID when new secret or new version of an existing secret is created (SecretSet operation).
Current data in properties_id field:
https://<KeyVaultName>.vault.azure.net/secrets/test1234Requested data in properties_id field:
https://<KeyVaultName>.vault.azure.net/secrets/test1234/38b6d47049704298affe8d0b1d3f47fbWe would like to use this functionality to correlate diagnostic log outputs for SecretUpdate operations to SecretSet operations without requiring access to the Key Vault objects themselves, we use this data for tracing security events.
The above method of including the version guid in the properties_id field is already used in a similar way when creating key versions (KeyCreate),…
1 vote -
The Key vault should not allow it to be deleted
The Key vault should not allow it to be deleted, as long as it has associations with other resources. In Azure the vast majority of resources have this restriction, for a resource as important as the Key Vault should also have this validation before allowing its elimination.
1 vote -
Secure export options and access to KeyVault secrets from login screens
Would be great to have following options in Key Vault – structured security permissions for all cryptographic resources. Possibility to deliver KeyVault secrets to users in secure way – direct export to encrypted archive + password, without use of system clipboard. One more option – direct access to KeyVault secret from mstsc or Windows Hello login screen, without copying of the sensitive information via system clipboard. Together with MFA security option KeyVault secret assigned to appropriate user can work as primary or backup login option.
1 vote -
Provide the ability to insert multiple secrets via JSON dictionary or similar method via command line
Today, secrets are able to be added manually and via file, which from my knowledge only accepts one key value pair for the secret. It would be nice to have the ability to insert multiple secrets at once.
1 vote -
I facing issue while settng / getting secret keys using Key Voult API. I am getting 501 response from these API's
I facing issue while settng / getting secret keys using Key Voult API. I am getting 501 response from these API's
1 vote -
Don't show Key Vault secrete values in the Azure Portal
Today when secrets are added to Key Vault, the value of secret is visible in Azure Portal (initially secrets are masked out, but clicking on secret allows to see its value secret).
There should be an option NOT to see secret's value once it’s added to the vault.
This way if Azure Portal is compromised, secretes are still secure.1 vote
- Don't see your idea?