It would be great to support a free SSL provider like Let's Encrypt that works with Key Vault auto roll.79 votes
I need to upload public keys present in my centos machine to azure vault using azure cli .I used az keyvault key import --vault-name 'ContosoKeyVault' --name 'ContosoFirstKey' --pem-file 'path of the key' --pem-password 'Pa$$w0rd' --protection software this command . But i am not able to do this.Can anyone suggest me a solution.1 vote
Currently soft delete is not a default feature. It would be great if this can be made a default feature to protect against loss of a complete keyvault or objects inside (keys,secrets,certs).
We learned about this feature only after getting hit by an accidental keyvault deletion.
We can save others who are not aware of this feature and may run into similar scenario.10 votes
When I create a web app with a Managed Service Identity and want to grant it access to an EXISTING vault, the ARM template for that - even when in incremental mode - removes the other existing access policies from the vault. Only the one for the newly added MSI will be there afterwards.
This effectively disables any scenario where you want to use an existing key vault for a new web app.
Similar to what has been reported here:
Make it possible with an ARM template to set an Access Policy for a Application Registration Principal
After submitting a ticket and working with MS Support, I learned that the only way to associate an Access Policy with an AD Registered Application, was to use a 'Hidden Id' for that application. No combination of the Object Id as displayed in the Portal, or the Application Id as displayed in the Portal for that AD application registration, will result in a usable Access Policy (it does not error, and the portal actually shows the policy (though it looks different then one created via the portal), however it will not work when used. As far as I've been able to determine, the only way to obtain this 'hidden id', is using the -PassThru argument while running AzureRmKeyVaultAccessPolicy, which at this point the Key vault must already exist, and it creates the access policy so this is useless for use in an Arm template that you want to create the initial key vault with. If there is some other way to obtain this hidden id, that would be a start, ideally if it was visible from the portal. Ideally, some more intuitive way, such as the ApplicationId that exists in the Arm template (though what it is for I don't know), would of course be better.
I have attached some of the relevant information from the ticket.
After submitting a ticket and working with MS Support, I learned that the only way to associate an Access Policy with an AD Registered Application, was to use a 'Hidden Id' for that application. No combination of the Object Id as displayed in the Portal, or the Application Id as displayed in the Portal for that AD application registration, will result in a usable Access Policy (it does not error, and the portal actually shows the policy (though it looks different then one created via the portal), however it will not work when used. As far as I've been able…14 votes
It should be possible to provide role separation even from the highest Azure permissions (Global Administrators / Subscription Owners)
As of today, anyone with permissions to modify the service, can change Access Policies and give themselves permissions to Keys and Secrets.
Perhaps an extra level of Security linked to Azure Active Directory where only specified groups or users would have the ability to modify access policies.17 votes
I'm using key vault as a central key/value configuration repository. I have a lot of configuration keys, so navigating the vault has become tricky.
It would be really great if there was some form of cosmetic layer over the top, so that similar items could be grouped, to make navigation easier.32 votes
In this document:
The step 3.2 suggests you should initialize your security world with:
new-world.exe --initialize --cipher-suite=DLf1024s160mRijndael --module=1 --acs-quorum=2/3
DLf1024s160mRijndael is the Thales nShield HSM legacy cipher suite, and should not be used in Production environments. The cipher suite should be DLf3072s256mRijndael so the command should be:
new-world.exe --initialize --cipher-suite=DLf3072s256mRijndael --module=1 --acs-quorum=2/3
I suggest updating the step to reflect the newer cipher suite.3 votes
When you open a particular secret tab you first need to make it visible and only then you are able to copy the value.
Please add a button to copy the value without showing the value.5 votes
So ideally a user could create a key in a vault then be allowed to navigate to a resources credentials and store the password or username as the key value. This avoids credentials going out if date if users have build an API that calls secrets via AAD tokens. I'd use it for storage accounts,SQL servers etc.2 votes
If a company has a single KeyVault which holds dev and production keys, as long as you access the keyvault through a valid access policy and key can be used (for the usages mentioned in the access policy).6 votes
In Payment Industry, cryptographic keys that are used to encrypt PIN from credit/debit cards are TripleDES (sometimes with DUKPT) based. Currently, KeyVault only support RSA keys.
Please add support to it.72 votes
currently when delegating permissions to secrets and keys to groups the group name is not published into the "displayname" attribute of the vault key. only the object ID exists. nightmare for role segregation mgmt.1 vote
Azure taught students how to defame my reputation and how to spend my money Edge is downloaded and running Apache My name is Lyda G Bonds
Azure taught a wonderful team called the 403b and the 401k team and now I am being controlled by them Great Job! What happened to your ethics as a company?1 vote
Microsoft should not be calling out a specific vendor and have them be a requirement. Instead, they should offer a standards based solution that allows the customer to use their existing HSM. Thales might not be the right choice for every enterprise.1 vote
How can I BYOK to Azure from Gemalto Luna SA?1 vote
Given that the Access Policies show only the user or service principal name in the portal, it would be very nice to be able to be able to determine the GUIDs that these names resolve to troubleshoot issues.
Having the same name listed multiple times with different GUIDs may prove confusing, so taking it one step further, the portal could also resolve the GUIDs (user, SP, Groups, Application IDs) into their objects for full information, perhaps by using something like Graph’s GetObjectsByObjectIds.2 votes
The individual key vault page shows several key metrics (total requests, average latency, success ratio) and even the "Metrics (preview)" (when accessed via the key vault page) shows the same metrics (albeit with a different name).
However, these metrics cannot be access via the Metrics (either current GA or preview) blade. Nor can they be accessed via the Azure CLI.
It would be useful to be able to correlate key vault metrics with other service metrics (such as app services), to do this it is necessary to have the data accessible via the metrics blade or the CLI.1 vote
My coworker sometimes set up Azure Agent Backup, though he does not have azure portal login accont.
So when he set up Azure Agent Backup, I need to download the vault credential and pass it to him every time.
Because of this, my coworker cannot set up Azure Agent Backup when I cannot pass him a vault credential.
So I want to download a vault credential without login to Azure portal.2 votes
- Don't see your idea?