Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. improve client exceptions around auth failures due to traffic routing failures

    I just spent a couple days trying to figure out why we couldn't use a service principal to auth against KeyVault from our on prem servers.

    It turned out we had failed to setup SNAT rules for a bank of machines, but none of the exceptions emitted by the client libraries were at all helpful in figuring this out.

    I've attached sample exceptions we got from the 2 different versions of the nuget packages we tried, but it was basically these 2 messages:

    Exception Message: Access token could not be acquired. Object reference not set to an instance of an…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  2. Fix the article on Key Vault backups

    This article https://blogs.technet.microsoft.com/kv/2018/07/20/announcing-backup-and-restore-of-keys-secrets-and-certificates/ has some pretty major errors, such as stating that the CLI command line to backup a secret is the same as the one to backup a key. Someone needs to review and correct this article.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. nCipher Security has only one product, general purpose HSM

    LOL, this happen if somebody is not doing his work properly and only rename vendor.
    nCipher Security has only general purpose HSM and has no activities in NATO or with payment solution. The text is about Thales company.

    nCipher Security is a leading global provider of data encryption and cyber security solutions to the financial services, high technology, manufacturing, government, and technology sectors. With a 40-year track record of protecting corporate and government information, nCipher Security cryptographic solutions are used by four of the five largest energy and aerospace companies. Their solutions are also used by 22 NATO countries/regions, and…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. Simplify key rotation process

    Make it easier to rotate keys. Currently, when creating a new version it becomes the default version immediately - which makes the process very risky. It will be better to be able to do this process manually (marking a key as default) - so I can do it when I'm ready. Or, even better - support decrtpting using the old keys like AWS KMS or GCP KMS are doing.

    References:
    https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
    https://cloud.google.com/kms/docs/key-rotation

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  5. Accessing KeyVault from HDInsight cluster

    My team is starting a new project which involves running .NET app on HDI cluster. Accessing KeyVault from Windows machines require certificates, but this is not feasible from Linux VMs in HDI which doesn't have support for certificate store. Does anyone solved similar problem?
    During investigation, I came across this (https://docs.microsoft.com/en-us/azure/key-vault/tutorial-net-linux-virtual-machine). Didn't tried it myself, but my colleague said it didn't work for him. If it is possible to configure service identity on HDI worker nodes, I would love to hear. Thanks.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow Keyvault purge when 'purge protection' is enabled

    Purge protection is a required setting for our InfoSec team. Unfortunately we cannot move a keyvault from one region to another one, and we cannot completely get it purged (https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete / https://docs.microsoft.com/en-us/rest/api/keyvault/vaults/purgedeleted).
    There should be a mechanism/procedure to force a keyvault purge (even by raising an INC to MS)

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  7. Support for Ed25519 SSH keys in Azure Key Vault

    as per https://docs.microsoft.com/en-us/azure/virtual-machines/linux/mac-create-ssh-keys
    'Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. Other key formats such as ED25519 and ECDSA are not supported.'

    As ED25519 standard is more and more popular, also faster, more secure and supported out of the box on likes of Ubuntu and other platforms using latest OpenSSH it would be very handy addition.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  8. I facing issue while settng / getting secret keys using Key Voult API. I am getting 501 response from these API's

    I facing issue while settng / getting secret keys using Key Voult API. I am getting 501 response from these API's

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  9. include functions as a trusted service in key vault firewall exceptions

    Include functions as a trusted service in key vault firewall exceptions. Why wouldn't you include all Azure services - unless we don't trust Azure PaaS anymore? ;-)

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to up-vote & comment on. This allows us to effectively prioritize your request against our existing feature backlog and also gives us insight into the potential impact of implementing the suggested feature.

  10. Improve PowerShell error messages

    Hello,

    I found an issue that when calling get-AzKeyVaultSecret from PS, it returns useless error "forbidden". When instead I call az keyvault secret show from Bash, i get error that "IP address *** not allowed".

    PS Azure:> Get-AzKeyVaultSecret -vaultname tbtest3-kv
    Get-AzKeyVaultSecret : Operation returned an invalid status code 'Forbidden'
    At line:1 char:1
    + Get-AzKeyVaultSecret -vaultname tbtest3-kv
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : CloseError: (:) [Get-AzKeyVaultSecret], KeyVaultErrorException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret

    tomas@Azure:~$ az keyvault secret show --name "AppSecret" --vault-name "tbtest3-kv"
    Client address (137.117.226.47) is not authorized and caller is not a trusted service

    The IP restriction is intentional, but it appears so…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  11. Key Vault Service Limits

    The Key Vault limits are at a 10 second granularity but the granularity of its metrics are 1 minute. Please consider adjusting the limits to be in line with the granularity of the metrics available.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. Snapshot Entire Vault for Backup and Restore

    The current backup/restore solution for Keyvault keys, secrets and certs takes a lot of time to perform.
    It would be great if you could snapshot a whole Keyvault and save the backup. This would allow restore to use that backup snapshot.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. Soft-Deleting KeyVault should release the Resource name

    If I delete a KeyVault with "SoftDelete", it should be possible to create a new KeyVault with the same name.

    An internal versioning logic should be able to distinguish between the versions.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow access to the public part of KEYS in KeyVault from ARM templates

    It would be very useful to be able to generate a key and then get the public portion to pass to the appSettings for another App.

    This is needed for secure deployments where some apps may be in different security 'zones' where they cannot have access to a shared key-vault.

    Generating a key would be useful, especially if we could request that one be generated only if it does not already exist.

    At the very least having access to the public portion of the key in the same way we have access to a secret would be very helpful:

                    "publicJsonKey"
    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  15. Add support for STORING the Storage Account Key in addition to rotating it.

    Add support for STORING the Storage Account Key in addition to rotating it. Rotating the key is only part of the issue for us, the other half is making it available to application teams in a manner that doesn't require us to give them direct access to each and every storage account at the azure resource level. We prefer to give the team a key vault and store the keys in the kv, which makes it simple for the application team to reference it. When it is updated, we update the kv and that's that.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  16. when remove blue print, please also remove policies it created

    We found that the policies we had created using blueprint were not cleared out when we removed the blueprint. We had to manually remove the policy from policies.

    We should automatically remove those blueprint created policies when delete a blueprint.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  17. allowing special characters in vault name

    Is it possible to allow special characters in vault names, such as "QaKeyVault.CompanyName" ?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  18. Include Azure Automation on Key Vault Firewall under "Trusted Microsoft Services"

    Currently, Azure Automation accesses Azure Key Vaults through public endpoints (Azure Data Center Public IPs). As such, Automation cannot function unless a firewall exclusion is in place in the key vault settings. Unfortunately, Azure has hundreds of public IP addresses, which could change at a moments notice. This, in effect, negates use of the Key Vault firewall altogether and requires you to allow incoming untrusted networks.

    There is a firewall setting "Allow Trusted Microsoft Services", which allows select services to bypass the firewall. Automation is not included in this list. It would be a great help to include it; immediately…

    55 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  8 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. function on consumption plan can be added "trusted services azure service" key vault behind firewall

    would like to keep Azure key vault secure, at the same time that the Azure function on consumption plan can access the Key vault.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  20. Arm template to get the reference of Azure Search admin and query keys

    I wanted to add Azure Search admin and query keys as a secret to key vault using ARM template. Is there a way to do it?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base