Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  1. KeyVaultErrorException Error validating token: IDX10223 after changing timezone on laptop

    KeyVaultErrorException Error validating token: IDX10223 after changing timezone on laptop

    Fix exception after changing timezone on laptop. Or warn developers not to change timezones on business trip.

    Went on business trip where I changed the timezone.
    Everything worked fine.
    Returned home and restored timezone.
    .Net Core application stops working due to exception.

    Microsoft.Azure.KeyVault.Models.KeyVaultErrorException Error validating token: IDX10223
    HResult=0x80131500
    Message=Error validating token: IDX10223
    Source=Microsoft.Azure.KeyVault

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  2. Support for KMIP protocol

    KMIP is a standard protocol for interacting with vaults. It's supported by major vendors including NetApp. Keyvault should support this feature to allow centralized key management.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. ARM Template support for Certificates and Issuers

    Hi,

    Currently KeyVault only supports adding new secrets using ARM templates.

    Certificates are common part of any service today, just like secrets, and I would like to be able to create them in my vault using my ARM templates.

    Due to this limitation, currently my provisioning scripts are split to 3 parts(!):
    1. ARM Template for preparation (create the KV)
    2. Powershell to create the certificates inside the KV
    3. ARM Template for the remaining provisioning, that in some parts rely on getting the certificate private part (by accessing the "secret" entity on the KV)

    This doesn't make sense.

    At…

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  4. Facilitate Key Valut Diagnostics Policies

    A Key Vault and the corresponding Diagnostics are seen as to separate resources.

    It is hence impossible (as advised by customer support) to create a policy preventing key vaults with no diagnostics being deployed.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Improve error messaging for Key Vault firewall vNet integration

    If you try to add a vNet/subnet to a Key Vault's firewall, the subscription where that vNet lives must have the Key Vault resource provider registered. If the Key Vault resource provider is not registered in the vNet's subscription, the error you see leads you down a different rabbit hole. Here's an example of the error message:

    Virtual Network could not be validated. code: AuthorizationFailed. message: "The client '{guid}' with object id '{same_guid}' does not have authorization to perform action 'microsoft.network/virtualnetworks/taggedTrafficConsumers/validate/action' over scope '/subscriptions/my-vNet-subscription-guid/resourcegroups/my-Resource-Group/providers/microsoft.network/virtualnetworks/my-vNet/taggedTrafficConsumers/Microsoft.KeyVault.centralus' or the scope is invalid. If access was recently granted, please refresh your credentials.".

    That error…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  6. Export AppService certificate from portal

    We have you powershell to export AppService certificate as PFX file. And the file dose not have intermediate certificate. If we need the PFX file with intermediate certificate, we have to import windows OS and export as PFX file. I hope that we can export the full certificate from Azure portal.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. Additional Event Types for Key Vault integration with Event Grid

    How about some additional event types, specifically Microsoft.KeyVault.SecretDeleted, Microsoft.KeyVault.CertificateDeleted, and Microsoft.KeyVault.KeyDeleted ?

    I'd like be able to subscribe to delete events. The *NewVersionCreated event types fire when adding a new key vault object or a new version is saved but I need to know when an object is deleted.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow RunAs accounts to directly use Key Vault certificates.

    You can upload a self-signed certificate file for a RunAs account. I'd like to use Key Vault to create & renew a self-signed certificate for a RunAs account.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Better Scope the access needed to restore a VM from recovery vault

    While our 3rd party MSP was attempting to restore a VM we found that they did not have the required permissions. After reviewing the docs here https://docs.microsoft.com/en-us/azure/backup/backup-rbac-rs-vault
    we found that they need Contributor access, specifically resourcegroups/write.
    Creating resources groups is an authorization we need to limit. Requesting the product group remove this authorization from VM restores.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow creation of "living" secrets that are linked to a resource and always returns an active key

    As an alternative to rotating keys, it would be cool if you could create a key vault secret that was linked to a resource such as blob storage or cosmos db that uses keys for authentication, so that when you call the GET operation on that secret it can proxy the request to that resource's listkeys operation and automatically choose one. In this way, it would guarantee that any time you reach out to key vault for that secret, you would be sure to get an active key. For this to work, I expect Azure would need to associate a…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow key vault references without version

    It was previously possible to reference key vault settings without specifying the secret version in the URL. i.e. https://myvault.vault.azure.net/secrets/mysecret/

    And would automatically reference the most current version of the secret.

    This functionality stopped working after a rollout on 9 August 2019.

    This is a very useful feature when you need to use secrets across different environments as it is cumbersome to update the references whenever a secret needs to be updated.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. Ability to reference a secret without having to specify the secret version explicitly

    Hi! Currently the only way to specify a KeyVault reference is to specify the version as well. Could this perhaps be changed to be able to reference a particular version by default (perhaps the newest one). This would really help in the case that a secret needs to be updated and a particular version is no longer valid. Currently I have to go back and change my secret, fetch the new secret version and update all the references accordingly. This gets really tedious when you have a lot of secrets to keep track of.

    To make this clear:

    Currently my…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  13. keyvault version control and management

    enable versioning and tagging of entire keyvault properties to enable quick switching between configurations

    AND/OR enable online backup of keyvault to achieve the same effect

    Additionally, the keyvault user interface is very hard and inefficient to make a lot of changes and is error prone, so an improved table based UI might help ?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow ALL PaaS services to be trusted by KeyVault. Without this, firewall rules are unmanageable

    Allow all PaaS services to be trusted by KeyVault. Without this, firewall rules are unmanageable. Data factory has dynamic IPs, MIcrosoft solution to me was to add the 220 IP ranges for West US 2. Sadly, KeyVault only allows 127 entries. - Solution? Use the self hosted runtimes (higher cost). My solution if you want Key Vault to be enterprise ready, in the firewall screen, make it as simple as explicitly selecting an Azure service and saying - allow access - why do I have to figure out IP ranges? (too many anyway).Lets help the Azure Key Vault product team…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  15. Support for nCipher HSM and CNG

    Currently, Azure Key vault HSM doesn't support nCipher HSM and CNG ("nCipher World Key Provider"). Due to this we are not able to migrate few of our services to Azure and it become bottleneck for migration.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  16. Key Vault Access Policies - Provide Identifier next to SP.

    In some scenarios there can be 2 service principals created in Azure AD such as function apps which have been re created and have the same name, by providing the Id next to the name it will allow contributors to verify they have selected the correct service principal to grant access to, and not old SP's

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  17. How to grant the AKV access to the web app hosted in IIS

    currently we are able to add the azure key vault access to the azure web app, but what is the app is not published to Azure, how to use the azure key vault with apps hosted in Azure VM IIS?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Custom applications  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add the Secret version GUID in the diagnostic logging output when a secret is created (SecretSet)

    The diagnostic logging output for Key Vaults do not include the version GUID when new secret or new version of an existing secret is created (SecretSet operation).

    Current data in properties_id field:
    https://<KeyVaultName>.vault.azure.net/secrets/test1234

    Requested data in properties_id field:
    https://<KeyVaultName>.vault.azure.net/secrets/test1234/38b6d47049704298affe8d0b1d3f47fb

    We would like to use this functionality to correlate diagnostic log outputs for SecretUpdate operations to SecretSet operations without requiring access to the Key Vault objects themselves, we use this data for tracing security events.

    The above method of including the version guid in the properties_id field is already used in a similar way when creating key versions (KeyCreate),…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  19. Auto Rotate Secrets on connected Resources

    Microsoft docs highly recommends the keys/secrets/certificates to be rotated on regular interval for better security posture.

    The rotation is only possible by writing powershell code and dont have luxury to write and maintain for every resource.

    It would be great to have a feature in Key Vault to do that for us when a resource is connected. Resource could be PaaS SQL, Storage account, Azure Ad APP etc.

    KeyVault talks about writing powershell code to recycle keys on storage account.
    https://docs.microsoft.com/en-us/azure/key-vault/key-vault-key-rotation-log-monitoring

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  20. improve client exceptions around auth failures due to traffic routing failures

    I just spent a couple days trying to figure out why we couldn't use a service principal to auth against KeyVault from our on prem servers.

    It turned out we had failed to setup SNAT rules for a bank of machines, but none of the exceptions emitted by the client libraries were at all helpful in figuring this out.

    I've attached sample exceptions we got from the 2 different versions of the nuget packages we tried, but it was basically these 2 messages:

    Exception Message: Access token could not be acquired. Object reference not set to an instance of an…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6 7
  • Don't see your idea?

Feedback and Knowledge Base