az cli commands re keyvautls:

Creating a keyvault:

$ az keyvault create -g rg0x001 -l centralus -n dolkv0x001

# note: keyvaults have a soft delete feature which will retain
#       deleted vaults for a set number of days defaulting to 90
#       You specify a retention days and also can purge them
#       after they've been deleted.
#
#       And, apprently, you can't set purge-protection false
#       at the command level.

$ az keyvault create -g rg0x002 -l centralus -n dolkv0x002 \
  --public-network-access Enabled \
  --retention-days 7 --sku Standard --tags env=test \
  --network-acls-ips ${myip}

Deleting keyvault:

# vaults stick around in soft-delete unless purged.
az keyvault delete -g ${rg} -n ${keyvault}

Listing deleted keyvaults:

az keyvault list-deleted --resource-type vault --query '[].{
  Name:name,
  Date:properties.scheduledPurgeDate}' \
  --output table
Name        Date
----------  -------------------------
dolkv0x003  2023-09-17T19:15:53+00:00

Purging keyvaults:

# don't need to specify RG
az keyvault purge -n ${keyvault}

List keyvaults and allowed IP addresses:

$ az keyvault list -g rg0x002 --query '[].[name,properties.networkAcls.ipRules[].value]' -o table
Column1     Column2
----------  -------------------
dolkv0x002  ['${myip}/32']

keyvault list vs show:

az keyvault list provides high level info on existing keyvaults:

$ az keyvault list
[
  {
    "id": "/subscriptions/413bdb96-713e-4a35-b648-d61a850402e2/resourceGroups/rg0x001/providers/Microsoft.KeyVault/vaults/dolkv0x001",
    "location": "centralus",
    "name": "dolkv0x001",
    "resourceGroup": "rg0x001",
    "tags": {
      "desc": "short term kv test"
    },
    "type": "Microsoft.KeyVault/vaults"
  }
]

az keyvault show -n ${kv} shows detailed info on specific vaults:

# IOW: **lots** of json including policy
$ az keyvault show -n dolkv0x001 | wc -l
98

Add tags to existing kv:

(or any other resource, potentially):

$ az resource update --set tags.desc="short term kv test" \
  --resource-type Microsoft.KeyVault/vaults \
  -g rg0x001 -n dolkv0x001

Setting a secret in the vault:

# Single line secret:
$ az keyvault secret set \
    --vault-name dolkv0x001 \
    -n dolpwd \
    --value 'this is also my secret; there are many like it'

# multiline secret:
$ vi multiline # add secret
$ az keyvault secret set --vault-name dolkv0x001 -n multiline --file multiline

# it is possible to in one line::
$ az keyvault secret set --vault-name dolkv0x001 -n ml2 \
> --file <(echo "this is my other
> secret.  don't mess with it")

listing secrets:

same for keys and certs

Listing;

$ az keyvault secret list --vault-name dolkv0x001 \
>   --query '[].[name, id]' --output table
Column1    Column2
---------  -------------------------------------------------
dolpwd     https://dolkv0x001.vault.azure.net/secrets/dolpwd
pwd        https://dolkv0x001.vault.azure.net/secrets/pwd

NOTE: Just hitting those urls doesn't work.  That's a good thing.

showing value:

$ az keyvault secret show -n dolpwd \
--vault-name dolkv0x001  --query value
"this is also my secret; there are many like it"

converting a pem key (as stored in vault) to openssh format:

$ ssh-keygen -mPKCS8 -if ./dolkv0x001-dolkey0x001-20220605.pem
ssh-rsa AAAAB3Nza [[long ssh line snipped]]

Importing an existing key to keyvault:

key must be in pem format. openssh private keys aren’t in the right format:

$ ssh-keygen -m 'PEM' -t rsa -b 2048 -P 'this is my key' -f ./testkey1
Generating public/private rsa key pair.
Your identification has been saved in ./testkey1
Your public key has been saved in ./testkey1.pub
The key fingerprint is: [[snipped]
The key's randomart image is: [[snipped]]

set vars appropriately:

$ az keyvault key import --name $key --vault-name $kv --pem-file ~/.ssh/$key --pem-password "$pf"
{
  "attributes": {
    "created": "2022-06-05T16:33:58+00:00",
    "enabled": true,
    "expires": null,
    "exportable": null,
    "notBefore": null,
    "recoverableDays": 90,
    "recoveryLevel": "Recoverable+Purgeab
[[snip]]

$ az keyvault key list --vault-name dolkv0x001 --query [].name --output tsv
dolkey0x001
testkey1

Downloading public key:

doesn’t appear to be a way to download private:

$ az keyvault key download --name $key --vault-name $kv \
  --encoding PEM --file key2
$ ssh-keygen -mPKCS8 -if ./key2
ssh-rsa AAAAB3Nza [[long ssh line snipped]]

Creating a backup of a pem formatted key:

first convert openssh to pem:

az keyvault secret set --name ${key}-pf \
--value "${pf}" --vault-name $kv \
--description "SSH Key Passphrase"
{
  "attributes": {
    "created": "2022-06-05T16:56:24+00:00",
    "enabled": true,
[[snip]]

$ az keyvault secret show --vault-name $kv \
-n ${key}-pf --query value
"this is my key"
$ az keyvault secret show --vault-name $kv \
-n ${key} --query value
"-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-128-CBC
[[snip]]