Accessing Azure Key Vault Secret through Azure Key Vault REST API using an Azure AD app

Anoop
5 min readAug 16, 2018

--

Bonus: A console application that shows how to get the data using the technique mentioned below.

Recently my colleague Vardhaman wrote an article on how to get sensitive information in Azure Functions using Key Vault. It’s a brilliant article and that inspired me to write this article.

In this article we will see a way to access a secret stored in Azure Key Vault using some http requests. This can be used in any application where you want to retrieve a secret from the key vault.

We will start by registering an app in Azure AD and then add that app in the access policies of the key vault. After that we will send a couple of http requests to get access token and to get a secret’s value.

Azure AD app

To register an app in Azure AD follow the normal steps. You can find various blogs that explain how to register an app, one of them by Microsoft is here. The name for the app I have used is “DEV Key Vault”.

After that create a key for the app using the steps mentioned in earlier article. Copy the “Client Id” and the “Key” into a notepad as we need these later.

Azure AD App credentials

Also copy the directory id from the properties into a notepad as we need this later.

Directory Id

Key Vault

Create a Key Vault or navigate to an existing key vault and add a secret called “Secret1”. The value that I have added for it is “Secret Value 1”.

Secret1 in key vault

Now we have to authorize the Azure AD app created earlier to use the secret. To do that, click on “Access Policies” and then “+Add New”

Click “Select Principal” , (search and) select the Azure AD application created earlier and grant “get” permissions under secret.

App access policy

Save the access policy by clicking on “save”

Copy the “Key Vault” URL in a file as we need this later. This can be found in “Overview” screen of the key vault

That’s it on the Key Vault side. Now switch to Postman.

Postman

One of the first things I like to do in Postman is creating an environment. An environment can be thought of as a container of variables that can be used in all the requests.

To create an environment click on the “cog” in the top right corner to open the “Manage Environments” window and then click on “Add”. Provide a relevant name for the environment and then add the following variables

Environment in Postman

Access Token Request

Now that the environment is set up, it’s time to send a POST request to get the token. Create a new request in Postman, name it as “Get Access Token For Key Vault” and change it’s request type to “POST”.

The URL will be

https://login.microsoftonline.com/{{directoryId}}/oauth2/v2.0/token

{{directoryId}} is an environment variable. So when we send the request {{directoryId}} will be replaced with the value we specified earlier.

Click on the “Body” tab of the request and add the following Key Value pairs

Note: the value of scope is “ https://vault.azure.net/.default

Body for getting access token

Now click on “Tests” tab in the request and add the following javascript.

var json = JSON.parse(responseBody);
postman.setEnvironmentVariable("azureApp_bearerToken", json.access_token);

This code runs after the request is made. It extracts the “access token” from the response, creates an environment variable called “azureApp_bearerToken” and assigns it’s value to the retrieved access token.

Storing the access token in the environment

The request is now composed, save it and click on “Send”. This will provide the json response which has access token in it.

Sending the request

“Get Secret” Request

Create a new GET request in Postman called “Get Secret” with the URL similar to the one below:

https://yourkeyvaultname.vault.azure.net/secrets/Secret1?api-version=2016-10-01

where “yourkeyvaultname” is the name of your key vault.

More details on Key Vault REST API can be found here

To specify the access token for the request, click on the “Headers” tab and add the following

The request is now composed. Save it and click send. This will return a json response (similar to the one shown below) which will have the secret’s value and other details.

If there is an error related to token, then please run the token request once again and then re-send the “get secret” request.

Console Application

I have created a console application to demonstrate the same. The console application makes 2 HTTP requests mentioned above and gets the required data.

Console app output

--

--

Anoop

Microsoft MVP. M365 Developer Architect at Content+Cloud.