Accessing Azure Key Vault Secret through Azure Key Vault REST API using an Azure AD app

Bonus: A console application that shows how to get the data using the technique mentioned below.

Recently my colleague Vardhaman wrote an article on how to get sensitive information in Azure Functions using Key Vault. It’s a brilliant article and that inspired me to write this article.

In this article we will see a way to access a secret stored in Azure Key Vault using some http requests. This can be used in any application where you want to retrieve a secret from the key vault.

We will start by registering an app in Azure AD and then add that app in the access policies of the key vault. After that we will send a couple of http requests to get access token and to get a secret’s value.

Azure AD app

After that create a key for the app using the steps mentioned in earlier article. Copy the “Client Id” and the “Key” into a notepad as we need these later.

Azure AD App credentials

Also copy the directory id from the properties into a notepad as we need this later.

Directory Id

Key Vault

Secret1 in key vault

Now we have to authorize the Azure AD app created earlier to use the secret. To do that, click on “Access Policies” and then “+Add New”

Click “Select Principal” , (search and) select the Azure AD application created earlier and grant “get” permissions under secret.

App access policy

Save the access policy by clicking on “save”

Copy the “Key Vault” URL in a file as we need this later. This can be found in “Overview” screen of the key vault

That’s it on the Key Vault side. Now switch to Postman.

Postman

To create an environment click on the “cog” in the top right corner to open the “Manage Environments” window and then click on “Add”. Provide a relevant name for the environment and then add the following variables

Environment in Postman

Access Token Request

The URL will be

https://login.microsoftonline.com/{{directoryId}}/oauth2/v2.0/token

{{directoryId}} is an environment variable. So when we send the request {{directoryId}} will be replaced with the value we specified earlier.

Click on the “Body” tab of the request and add the following Key Value pairs

Note: the value of scope is “ https://vault.azure.net/.default

Body for getting access token

Now click on “Tests” tab in the request and add the following javascript.

var json = JSON.parse(responseBody);
postman.setEnvironmentVariable("azureApp_bearerToken", json.access_token);

This code runs after the request is made. It extracts the “access token” from the response, creates an environment variable called “azureApp_bearerToken” and assigns it’s value to the retrieved access token.

Storing the access token in the environment

The request is now composed, save it and click on “Send”. This will provide the json response which has access token in it.

Sending the request

“Get Secret” Request

https://yourkeyvaultname.vault.azure.net/secrets/Secret1?api-version=2016-10-01

where “yourkeyvaultname” is the name of your key vault.

More details on Key Vault REST API can be found here

To specify the access token for the request, click on the “Headers” tab and add the following

The request is now composed. Save it and click send. This will return a json response (similar to the one shown below) which will have the secret’s value and other details.

If there is an error related to token, then please run the token request once again and then re-send the “get secret” request.

Console Application

Console app output

SharePoint developer at Content+Cloud.