Accessing Azure Key Vault Secret through Azure Key Vault REST API using an Azure AD app
Bonus: A console application that shows how to get the data using the technique mentioned below.
Recently my colleague Vardhaman wrote an article on how to get sensitive information in Azure Functions using Key Vault. It’s a brilliant article and that inspired me to write this article.
In this article we will see a way to access a secret stored in Azure Key Vault using some http requests. This can be used in any application where you want to retrieve a secret from the key vault.
We will start by registering an app in Azure AD and then add that app in the access policies of the key vault. After that we will send a couple of http requests to get access token and to get a secret’s value.
Azure AD app
To register an app in Azure AD follow the normal steps. You can find various blogs that explain how to register an app, one of them by Microsoft is here. The name for the app I have used is “DEV Key Vault”.
After that create a key for the app using the steps mentioned in earlier article. Copy the “Client Id” and the “Key” into a notepad as we need these later.
Also copy the directory id from the properties into a notepad as we need this later.
Key Vault
Create a Key Vault or navigate to an existing key vault and add a secret called “Secret1”. The value that I have added for it is “Secret Value 1”.
Now we have to authorize the Azure AD app created earlier to use the secret. To do that, click on “Access Policies” and then “+Add New”
Click “Select Principal” , (search and) select the Azure AD application created earlier and grant “get” permissions under secret.
Save the access policy by clicking on “save”
Copy the “Key Vault” URL in a file as we need this later. This can be found in “Overview” screen of the key vault
That’s it on the Key Vault side. Now switch to Postman.
Postman
One of the first things I like to do in Postman is creating an environment. An environment can be thought of as a container of variables that can be used in all the requests.
To create an environment click on the “cog” in the top right corner to open the “Manage Environments” window and then click on “Add”. Provide a relevant name for the environment and then add the following variables
Access Token Request
Now that the environment is set up, it’s time to send a POST request to get the token. Create a new request in Postman, name it as “Get Access Token For Key Vault” and change it’s request type to “POST”.
The URL will be
https://login.microsoftonline.com/{{directoryId}}/oauth2/v2.0/token{{directoryId}} is an environment variable. So when we send the request {{directoryId}} will be replaced with the value we specified earlier.
Click on the “Body” tab of the request and add the following Key Value pairs
Note: the value of scope is “ https://vault.azure.net/.default”
Now click on “Tests” tab in the request and add the following javascript.
var json = JSON.parse(responseBody);
postman.setEnvironmentVariable("azureApp_bearerToken", json.access_token);This code runs after the request is made. It extracts the “access token” from the response, creates an environment variable called “azureApp_bearerToken” and assigns it’s value to the retrieved access token.
The request is now composed, save it and click on “Send”. This will provide the json response which has access token in it.
“Get Secret” Request
Create a new GET request in Postman called “Get Secret” with the URL similar to the one below:
https://yourkeyvaultname.vault.azure.net/secrets/Secret1?api-version=2016-10-01where “yourkeyvaultname” is the name of your key vault.
More details on Key Vault REST API can be found here
To specify the access token for the request, click on the “Headers” tab and add the following
The request is now composed. Save it and click send. This will return a json response (similar to the one shown below) which will have the secret’s value and other details.
If there is an error related to token, then please run the token request once again and then re-send the “get secret” request.
Console Application
I have created a console application to demonstrate the same. The console application makes 2 HTTP requests mentioned above and gets the required data.
