I need to upload public keys present in my centos machine to azure vault using azure cli .I used az keyvault key import --vault-name 'ContosoKeyVault' --name 'ContosoFirstKey' --pem-file 'path of the key' --pem-password 'Pa$$w0rd' --protection software this command . But i am not able to do this.Can anyone suggest me a solution.1 vote
To increase security management, add a description field to the Firewalls and Virtual Networks list (just like other services).
Currently it is just a list of IP addresses and we need to remember which ones are valid and which ones we should delete or expire In SQL server firewall, you can add a description to the IP addresses. Great if you can do the same.7 votes
Microsoft should not be calling out a specific vendor and have them be a requirement. Instead, they should offer a standards based solution that allows the customer to use their existing HSM. Thales might not be the right choice for every enterprise.1 vote
When creating a 'secret' in Azure Key Vault you mainly got Name, Value and Content type fields to populate. It would be great to have a Description field as well to provide some verbose description/notes about the particular secret.16 votes
Azure taught students how to defame my reputation and how to spend my money Edge is downloaded and running Apache My name is Lyda G Bonds
Azure taught a wonderful team called the 403b and the 401k team and now I am being controlled by them Great Job! What happened to your ethics as a company?1 vote
Please allow more than 24 characters for key vault name length. Using a standard naming convention across Azure resources that includes the resource type, region, and landscape doesn't leave many characters for the key vault name. Web Apps also utilize globally unique DNS names and support up to 60 characters. Supporting up to 60 character names would make it easier for us to use our standardized naming convention.326 votes
Either allow CORS for all Key Vaults, or allow it to be set on a per-Key Vault basis.58 votes
How can I BYOK to Azure from Gemalto Luna SA?1 vote
When I create a web app with a Managed Service Identity and want to grant it access to an EXISTING vault, the ARM template for that - even when in incremental mode - removes the other existing access policies from the vault. Only the one for the newly added MSI will be there afterwards.
This effectively disables any scenario where you want to use an existing key vault for a new web app.
Similar to what has been reported here:
It would be better for idempotency and the ability to create Keyvault first, with additional incrementally run ARM templates to have AccessPolicies as non-mandatory.
It is already possible to incrementally add AccessPolicies once you have a KeyVault, but it is not possible to create or update a Keyvault via ARM without specifying the AccessPolicies... which is a problem for update - you need to know all the existing AccessPolicies before you do the update or it will get reverted to whatever you specify.161 votes
In this document:
The step 3.2 suggests you should initialize your security world with:
new-world.exe --initialize --cipher-suite=DLf1024s160mRijndael --module=1 --acs-quorum=2/3
DLf1024s160mRijndael is the Thales nShield HSM legacy cipher suite, and should not be used in Production environments. The cipher suite should be DLf3072s256mRijndael so the command should be:
new-world.exe --initialize --cipher-suite=DLf3072s256mRijndael --module=1 --acs-quorum=2/3
I suggest updating the step to reflect the newer cipher suite.3 votes
Given that the Access Policies show only the user or service principal name in the portal, it would be very nice to be able to be able to determine the GUIDs that these names resolve to troubleshoot issues.
Having the same name listed multiple times with different GUIDs may prove confusing, so taking it one step further, the portal could also resolve the GUIDs (user, SP, Groups, Application IDs) into their objects for full information, perhaps by using something like Graph’s GetObjectsByObjectIds.2 votes
So ideally a user could create a key in a vault then be allowed to navigate to a resources credentials and store the password or username as the key value. This avoids credentials going out if date if users have build an API that calls secrets via AAD tokens. I'd use it for storage accounts,SQL servers etc.2 votes
Make it possible with an ARM template to set an Access Policy for a Application Registration Principal
After submitting a ticket and working with MS Support, I learned that the only way to associate an Access Policy with an AD Registered Application, was to use a 'Hidden Id' for that application. No combination of the Object Id as displayed in the Portal, or the Application Id as displayed in the Portal for that AD application registration, will result in a usable Access Policy (it does not error, and the portal actually shows the policy (though it looks different then one created via the portal), however it will not work when used. As far as I've been able to determine, the only way to obtain this 'hidden id', is using the -PassThru argument while running AzureRmKeyVaultAccessPolicy, which at this point the Key vault must already exist, and it creates the access policy so this is useless for use in an Arm template that you want to create the initial key vault with. If there is some other way to obtain this hidden id, that would be a start, ideally if it was visible from the portal. Ideally, some more intuitive way, such as the ApplicationId that exists in the Arm template (though what it is for I don't know), would of course be better.
I have attached some of the relevant information from the ticket.
After submitting a ticket and working with MS Support, I learned that the only way to associate an Access Policy with an AD Registered Application, was to use a 'Hidden Id' for that application. No combination of the Object Id as displayed in the Portal, or the Application Id as displayed in the Portal for that AD application registration, will result in a usable Access Policy (it does not error, and the portal actually shows the policy (though it looks different then one created via the portal), however it will not work when used. As far as I've been able…19 votes
The individual key vault page shows several key metrics (total requests, average latency, success ratio) and even the "Metrics (preview)" (when accessed via the key vault page) shows the same metrics (albeit with a different name).
However, these metrics cannot be access via the Metrics (either current GA or preview) blade. Nor can they be accessed via the Azure CLI.
It would be useful to be able to correlate key vault metrics with other service metrics (such as app services), to do this it is necessary to have the data accessible via the metrics blade or the CLI.1 vote
When you open a particular secret tab you first need to make it visible and only then you are able to copy the value.
Please add a button to copy the value without showing the value.5 votes
I'm using key vault as a central key/value configuration repository. I have a lot of configuration keys, so navigating the vault has become tricky.
It would be really great if there was some form of cosmetic layer over the top, so that similar items could be grouped, to make navigation easier.64 votes
My coworker sometimes set up Azure Agent Backup, though he does not have azure portal login accont.
So when he set up Azure Agent Backup, I need to download the vault credential and pass it to him every time.
Because of this, my coworker cannot set up Azure Agent Backup when I cannot pass him a vault credential.
So I want to download a vault credential without login to Azure portal.2 votes
If a company has a single KeyVault which holds dev and production keys, as long as you access the keyvault through a valid access policy and key can be used (for the usages mentioned in the access policy).8 votes
currently when delegating permissions to secrets and keys to groups the group name is not published into the "displayname" attribute of the vault key. only the object ID exists. nightmare for role segregation mgmt.1 vote
- Don't see your idea?