Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow key vault references without version

    It was previously possible to reference key vault settings without specifying the secret version in the URL. i.e. https://myvault.vault.azure.net/secrets/mysecret/

    And would automatically reference the most current version of the secret.

    This functionality stopped working after a rollout on 9 August 2019.

    This is a very useful feature when you need to use secrets across different environments as it is cumbersome to update the references whenever a secret needs to be updated.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  2. Include Azure Automation on Key Vault Firewall under "Trusted Microsoft Services"

    Currently, Azure Automation accesses Azure Key Vaults through public endpoints (Azure Data Center Public IPs). As such, Automation cannot function unless a firewall exclusion is in place in the key vault settings. Unfortunately, Azure has hundreds of public IP addresses, which could change at a moments notice. This, in effect, negates use of the Key Vault firewall altogether and requires you to allow incoming untrusted networks.

    There is a firewall setting "Allow Trusted Microsoft Services", which allows select services to bypass the firewall. Automation is *not* included in this list. It would be a great help to include it; immediately…

    35 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  5 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow more than 24 characters for key vault name length

    Please allow more than 24 characters for key vault name length. Using a standard naming convention across Azure resources that includes the resource type, region, and landscape doesn't leave many characters for the key vault name. Web Apps also utilize globally unique DNS names and support up to 60 characters. Supporting up to 60 character names would make it easier for us to use our standardized naming convention.

    100 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. Support for KMIP protocol

    KMIP is a standard protocol for interacting with vaults. It's supported by major vendors including NetApp. Keyvault should support this feature to allow centralized key management.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  5. Improve error messaging for Key Vault firewall vNet integration

    If you try to add a vNet/subnet to a Key Vault's firewall, the subscription where that vNet lives must have the Key Vault resource provider registered. If the Key Vault resource provider is not registered in the vNet's subscription, the error you see leads you down a different rabbit hole. Here's an example of the error message:

    Virtual Network could not be validated. code: AuthorizationFailed. message: "The client '{guid}' with object id '{same_guid}' does not have authorization to perform action 'microsoft.network/virtualnetworks/taggedTrafficConsumers/validate/action' over scope '/subscriptions/my-vNet-subscription-guid/resourcegroups/my-Resource-Group/providers/microsoft.network/virtualnetworks/my-vNet/taggedTrafficConsumers/Microsoft.KeyVault.centralus' or the scope is invalid. If access was recently granted, please refresh your credentials.".

    That error…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  6. Additional Event Types for Key Vault integration with Event Grid

    How about some additional event types, specifically Microsoft.KeyVault.SecretDeleted, Microsoft.KeyVault.CertificateDeleted, and Microsoft.KeyVault.KeyDeleted ?

    I'd like be able to subscribe to delete events. The *NewVersionCreated event types fire when adding a new key vault object or a new version is saved but I need to know when an object is deleted.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  7. Notify Users when secrets/keys are expiring

    Currently certificates management supports email notification when certificates are expiring. Wouldn't it be great to have the same functionality for keys and secrets?

    157 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    28 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  8. include functions as a trusted service in key vault firewall exceptions

    Include functions as a trusted service in key vault firewall exceptions. Why wouldn't you include all Azure services - unless we don't trust Azure PaaS anymore? ;-)

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to up-vote & comment on. This allows us to effectively prioritize your request against our existing feature backlog and also gives us insight into the potential impact of implementing the suggested feature.

  9. Accessing KeyVault from HDInsight cluster

    My team is starting a new project which involves running .NET app on HDI cluster. Accessing KeyVault from Windows machines require certificates, but this is not feasible from Linux VMs in HDI which doesn't have support for certificate store. Does anyone solved similar problem?
    During investigation, I came across this (https://docs.microsoft.com/en-us/azure/key-vault/tutorial-net-linux-virtual-machine). Didn't tried it myself, but my colleague said it didn't work for him. If it is possible to configure service identity on HDI worker nodes, I would love to hear. Thanks.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  10. ARM Template for KeyVault to have AccessPolicies non-mandatory

    Hi,
    It would be better for idempotency and the ability to create Keyvault first, with additional incrementally run ARM templates to have AccessPolicies as non-mandatory.

    It is already possible to incrementally add AccessPolicies once you have a KeyVault, but it is not possible to create or update a Keyvault via ARM without specifying the AccessPolicies... which is a problem for update - you need to know all the existing AccessPolicies before you do the update or it will get reverted to whatever you specify.

    64 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  11. keyvault version control and management

    enable versioning and tagging of entire keyvault properties to enable quick switching between configurations

    AND/OR enable online backup of keyvault to achieve the same effect

    Additionally, the keyvault user interface is very hard and inefficient to make a lot of changes and is error prone, so an improved table based UI might help ?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. Simplify key rotation process

    Make it easier to rotate keys. Currently, when creating a new version it becomes the default version immediately - which makes the process very risky. It will be better to be able to do this process manually (marking a key as default) - so I can do it when I'm ready. Or, even better - support decrtpting using the old keys like AWS KMS or GCP KMS are doing.

    References:
    https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
    https://cloud.google.com/kms/docs/key-rotation

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow ALL PaaS services to be trusted by KeyVault. Without this, firewall rules are unmanageable

    Allow all PaaS services to be trusted by KeyVault. Without this, firewall rules are unmanageable. Data factory has dynamic IPs, MIcrosoft solution to me was to add the 220 IP ranges for West US 2. Sadly, KeyVault only allows 127 entries. - Solution? Use the self hosted runtimes (higher cost). My solution if you want Key Vault to be enterprise ready, in the firewall screen, make it as simple as explicitly selecting an Azure service and saying - allow access - why do I have to figure out IP ranges? (too many anyway).Lets help the Azure Key Vault product team…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  14. Support for nCipher HSM and CNG

    Currently, Azure Key vault HSM doesn't support nCipher HSM and CNG ("nCipher World Key Provider"). Due to this we are not able to migrate few of our services to Azure and it become bottleneck for migration.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  15. Key Vault Access Policies - Provide Identifier next to SP.

    In some scenarios there can be 2 service principals created in Azure AD such as function apps which have been re created and have the same name, by providing the Id next to the name it will allow contributors to verify they have selected the correct service principal to grant access to, and not old SP's

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  16. Support for Ed25519 SSH keys in Azure Key Vault

    as per https://docs.microsoft.com/en-us/azure/virtual-machines/linux/mac-create-ssh-keys
    'Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. Other key formats such as ED25519 and ECDSA are not supported.'

    As ED25519 standard is more and more popular, also faster, more secure and supported out of the box on likes of Ubuntu and other platforms using latest OpenSSH it would be very handy addition.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow Keyvault purge when 'purge protection' is enabled

    Purge protection is a required setting for our InfoSec team. Unfortunately we cannot move a keyvault from one region to another one, and we cannot completely get it purged (https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete / https://docs.microsoft.com/en-us/rest/api/keyvault/vaults/purgedeleted).
    There should be a mechanism/procedure to force a keyvault purge (even by raising an INC to MS)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  18. Support encryption/decryption for Elliptic Curve Cryptography, eg. for ECDH

    Currently only Sign and Verify action can be executed with elliptic curve (EC) keys. Add a possibility to use EC keys also for encryption and decryption (together with counterpart public key).
    For example, EC keys are used for encryption/decryption in steem blockchain.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. improve client exceptions around auth failures due to traffic routing failures

    I just spent a couple days trying to figure out why we couldn't use a service principal to auth against KeyVault from our on prem servers.

    It turned out we had failed to setup SNAT rules for a bank of machines, but none of the exceptions emitted by the client libraries were at all helpful in figuring this out.

    I've attached sample exceptions we got from the 2 different versions of the nuget packages we tried, but it was basically these 2 messages:

    Exception Message: Access token could not be acquired. Object reference not set to an instance of an…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  20. Improve PowerShell error messages

    Hello,

    I found an issue that when calling get-AzKeyVaultSecret from PS, it returns useless error "forbidden". When instead I call az keyvault secret show from Bash, i get error that "IP address *** not allowed".

    PS Azure:\> Get-AzKeyVaultSecret -vaultname tbtest3-kv
    Get-AzKeyVaultSecret : Operation returned an invalid status code 'Forbidden'
    At line:1 char:1
    + Get-AzKeyVaultSecret -vaultname tbtest3-kv
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : CloseError: (:) [Get-AzKeyVaultSecret], KeyVaultErrorException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret

    tomas@Azure:~$ az keyvault secret show --name "AppSecret" --vault-name "tbtest3-kv"
    Client address (137.117.226.47) is not authorized and caller is not a trusted service

    The IP restriction is intentional, but it appears so…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3
  • Don't see your idea?

Feedback and Knowledge Base