Azure Key Vault enables Microsoft Azure applications and users to store and use several types of secret/key data:
AzureKeyVault is an R package for working with the Key Vault service. It provides both a client interface, to access the contents of the vault, and a Resource Manager interface for administering the Key Vault itself.
The primary repo for this package is at https://github.com/Azure/AzureKeyVault; please submit issues and PRs there. It is also mirrored at the Cloudyr org at https://github.com/cloudyr/AzureKeyVault. You can install the development version of the package from GitHub:
::install_github("Azure/AzureKeyVault") devtools
AzureKeyVault extends the AzureRMR package to handle key vaults. In addition to creating and deleting vaults, it provides methods to manage access policies for user and service principals.
# create a key vault
<- AzureRMR::get_azure_login()$
rg get_subscription("sub_id")$
get_resource_group("rgname")
<- rg$create_key_vault("mykeyvault")
kv
# list current principals (by default includes logged-in user)
$list_principals()
kv
# get details for a service principal
<- AzureGraph::get_graph_login()$
svc get_service_principal("app_id")
# give the service principal read-only access to vault keys and secrets
$add_principal(svc,
kvkey_permissions=c("get", "list", "backup"),
secret_permissions=c("get", "list", "backup"),
certificate_permissions=NULL,
storage_permissions=NULL)
The client interface is R6-based. To instantiate a new client object,
call the key_vault
function. This object includes
sub-objects for interacting with keys, secrets, certificates and managed
storage accounts.
<- key_vault("https://mykeyvault.vault.azure.net")
vault
# can also be done from the ARM resource object
<- kv$get_endpoint()
vault
# create a new secret
$secrets$create("newsecret", "hidden text")
vault<- vault$secrets$get("newsecret")
secret
# printing the value won't display it; this is to help guard against shoulder-surfing
$value
secret#> <hidden>
# create a new RSA key with 4096-bit key size
$keys$create("newkey", type="RSA", rsa_key_size=4096)
vault
# encrypting and decrypting
<- vault$keys$get("newkey")
key <- "super secret"
plaintext <- key$encrypt(plaintext)
ciphertext <- key$decrypt(ciphertext, as_raw=FALSE)
decrypted_text == decrypted_text
plaintext #> [1] TRUE
# create a new self-signed certificate (will also create an associated key and secret)
<- vault$certificates$create("newcert",
cert subject="CN=mydomain.com",
x509=cert_x509_properties(dns_names="mydomain.com"))
# import a certificate from a PFX file
$certificates$import("importedcert", "mycert.pfx")
vault
# OAuth authentication using a cert in Key Vault (requires AzureAuth >= 1.0.2)
::get_azure_token("resource_url", "mytenant", "app_id", certificate=cert)
AzureAuth
# export the certificate as a PEM file
# (you should only export a cert if absolutely necessary)
$export("newcert.pem")
cert
# add a managed storage account
<- rg$get_resource(type="Microsoft.Storage/storageAccounts", name="mystorage")
storage_res <- vault$storage$add("mystorage", storage_res, "key1")
stor
# Creating a new SAS definition
<- "sv=2015-04-05&ss=bqtf&srt=sco&sp=r"
sasdef $create_sas_definition("newsas", sasdef, validity_period="P30D") stor