az cli commands re keyvautls:
=============================


Creating a keyvault: 
--------------------

::

  $ az keyvault create -g rg0x001 -l centralus -n dolkv0x001

  # note: keyvaults have a soft delete feature which will retain
  #       deleted vaults for a set number of days defaulting to 90
  #       You specify a retention days and also can purge them
  #       after they've been deleted.
  # 
  #       And, apprently, you can't set purge-protection false 
  #       at the command level.

  $ az keyvault create -g rg0x002 -l centralus -n dolkv0x002 \
    --public-network-access Enabled \
    --retention-days 7 --sku Standard --tags env=test \
    --network-acls-ips ${myip}
  
Deleting keyvault:
------------------

::

  # vaults stick around in soft-delete unless purged.
  az keyvault delete -g ${rg} -n ${keyvault}

Listing deleted keyvaults:
--------------------------

::

  az keyvault list-deleted --resource-type vault --query '[].{
    Name:name,
    Date:properties.scheduledPurgeDate}' \
    --output table
  Name        Date
  ----------  -------------------------
  dolkv0x003  2023-09-17T19:15:53+00:00
  
Purging keyvaults:
------------------

::

  # don't need to specify RG
  az keyvault purge -n ${keyvault}


List keyvaults and allowed IP addresses:
----------------------------------------

::

  $ az keyvault list -g rg0x002 --query '[].[name,properties.networkAcls.ipRules[].value]' -o table
  Column1     Column2
  ----------  -------------------
  dolkv0x002  ['${myip}/32']

keyvault list vs show:
----------------------

``az keyvault list`` provides high level info on existing keyvaults::

  $ az keyvault list
  [
    {
      "id": "/subscriptions/413bdb96-713e-4a35-b648-d61a850402e2/resourceGroups/rg0x001/providers/Microsoft.KeyVault/vaults/dolkv0x001",
      "location": "centralus",
      "name": "dolkv0x001",
      "resourceGroup": "rg0x001",
      "tags": {
        "desc": "short term kv test"
      },
      "type": "Microsoft.KeyVault/vaults"
    }
  ]

``az keyvault show -n ${kv}`` shows detailed info on specific vaults::

  # IOW: **lots** of json including policy
  $ az keyvault show -n dolkv0x001 | wc -l 
  98

Add tags to existing kv:
------------------------

(or any other resource, potentially)::

  $ az resource update --set tags.desc="short term kv test" \
    --resource-type Microsoft.KeyVault/vaults \
    -g rg0x001 -n dolkv0x001 


Setting a secret in the vault:
------------------------------

::

  # Single line secret:
  $ az keyvault secret set \
      --vault-name dolkv0x001 \
      -n dolpwd \
      --value 'this is also my secret; there are many like it'
  
  # multiline secret:
  $ vi multiline # add secret
  $ az keyvault secret set --vault-name dolkv0x001 -n multiline --file multiline
  
  # it is possible to in one line::
  $ az keyvault secret set --vault-name dolkv0x001 -n ml2 \
  > --file <(echo "this is my other
  > secret.  don't mess with it")


listing secrets:
----------------

same for keys and certs

Listing;
........

::

  $ az keyvault secret list --vault-name dolkv0x001 \
  >   --query '[].[name, id]' --output table
  Column1    Column2
  ---------  -------------------------------------------------
  dolpwd     https://dolkv0x001.vault.azure.net/secrets/dolpwd
  pwd        https://dolkv0x001.vault.azure.net/secrets/pwd
  
  NOTE: Just hitting those urls doesn't work.  That's a good thing.

showing value:
..............

::

  $ az keyvault secret show -n dolpwd \
  --vault-name dolkv0x001  --query value
  "this is also my secret; there are many like it"

converting a pem key (as stored in vault) to openssh format:
------------------------------------------------------------

::

  $ ssh-keygen -mPKCS8 -if ./dolkv0x001-dolkey0x001-20220605.pem 
  ssh-rsa AAAAB3Nza [[long ssh line snipped]]

Importing an existing key to keyvault:
--------------------------------------

key must be in pem format.  openssh private keys 
aren't in the right format::

  $ ssh-keygen -m 'PEM' -t rsa -b 2048 -P 'this is my key' -f ./testkey1
  Generating public/private rsa key pair.
  Your identification has been saved in ./testkey1
  Your public key has been saved in ./testkey1.pub
  The key fingerprint is: [[snipped]
  The key's randomart image is: [[snipped]]

set vars appropriately::

  $ az keyvault key import --name $key --vault-name $kv --pem-file ~/.ssh/$key --pem-password "$pf"
  {
    "attributes": {
      "created": "2022-06-05T16:33:58+00:00",
      "enabled": true,
      "expires": null,
      "exportable": null,
      "notBefore": null,
      "recoverableDays": 90,
      "recoveryLevel": "Recoverable+Purgeab
  [[snip]]
  
  $ az keyvault key list --vault-name dolkv0x001 --query [].name --output tsv
  dolkey0x001
  testkey1

Downloading public key:
-----------------------

doesn't appear to be a way to download private::

  $ az keyvault key download --name $key --vault-name $kv \
    --encoding PEM --file key2
  $ ssh-keygen -mPKCS8 -if ./key2
  ssh-rsa AAAAB3Nza [[long ssh line snipped]]
  
Creating a backup of a pem formatted key:
-----------------------------------------

first convert openssh to pem::

  az keyvault secret set --name ${key}-pf \
  --value "${pf}" --vault-name $kv \
  --description "SSH Key Passphrase" 
  {
    "attributes": {
      "created": "2022-06-05T16:56:24+00:00",
      "enabled": true,
  [[snip]]
  
  $ az keyvault secret show --vault-name $kv \
  -n ${key}-pf --query value 
  "this is my key"
  $ az keyvault secret show --vault-name $kv \
  -n ${key} --query value 
  "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-128-CBC
  [[snip]]