In this post will be simple walk through how to setup Azure Key Vault to be used from a web site not hosted on Azure. Reference
Get an Azure account
Go to http://portal.azure.com and set up an account.
Get Powershell and Azure powershell
Go to install Powershell
After installation is complete open a Powershell command prompt and run.
Install-Module -Name AzureRM
Sign in
# Import the module into the PowerShell session Import-Module AzureRM # Connect to Azure with an interactive dialog for sign-in Connect-AzureRmAccount
Create a new resource group
New-AzureRmResourceGroup –Name 'MyResourceGroup' –Location 'East US'
Create an Azure Key vault
New-AzureRmKeyVault -VaultName 'MyKeyVault' -ResourceGroupName 'MyResourceGroup' -Location 'East US'
- Vault URI: https://mykeyvault.vault.azure.net/. Apps the use the REST API to access the vault. Note: the vault has to have globally unique name, mykeyvault is already taken, so use something different.
Add a secret to the Azure Key Vault
$secretvalue = ConvertTo-SecureString '!Passw0rd' -AsPlainText -Force
$secret = Set-AzureKeyVaultSecret -VaultName 'MyKeyVault' -Name 'MyPassword' -SecretValue $secretvalue
Secret URI:
https://mykeyvault.vault.azure.net/secrets/MyPassword
To display the URI for this secret, type:
$secret.Id
To view your secret, type:
Get-AzureKeyVaultSecret –VaultName 'MyKeyVault'
Authorize app to access the Azure Key Vault
Note: the service principle name will be the client ID (sometimes referred to as the application ID).
To get secrets
Set-AzureRmKeyVaultAccessPolicy -VaultName 'ContosoKeyVault' -ServicePrincipalName 8f8c4bbd-485b-45fd-98f7-ec6300b7b4ed -PermissionsToSecrets Get
To access keys
Set-AzureRmKeyVaultAccessPolicy -VaultName 'ContosoKeyVault' -ServicePrincipalName 8f8c4bbd-485b-45fd-98f7-ec6300b7b4ed -PermissionsToKeys decrypt,sign