How to use the secret uri to get the secret value stored in the azure keyvault?

6.3k views Asked by At

By using the ARM API's I am able to fetch the secret uri of the secret stored in azure keyvault

 https://management.azure.com/subscriptions/{mySubID}/resourceGroups/{myResourcegroup}/providers/Microsoft.KeyVault/vaults/{myvaultName}/secrets/{mycert}?api-version=2015-06-01

But I wanted a secret value to form a PFX cert inorder to upload to a service.

How can I achieve this ?

Please help !! Thanks in advance ....

3

There are 3 answers

0
Hari Priya Thangavel On BEST ANSWER

This worked for me

GET https://{vaultBaseUrl}/secrets/{secret-name}/{secret-version}?api-version={api-version}

Refernce: https://learn.microsoft.com/en-us/rest/api/keyvault/getsecret

NOTE:

I was not successful with this in the beginning, later found out that I was using the token obtained from https://management.core.windows.net

Apparently it failed saying like InvalidAuthenticationTokenAudience :The access token has been obtained from wrong audience or resource

So remember you have to get the token from https://vault.azure.net

0
Tom Sun On

I wanted a secret value to form a PFX cert inorder to upload to a service.

We could do that with the following API.

Get https://{Secret Identifier}?api-version=2016-10-01

More details please refer to this. About authentication please refer this document.

Note: The authority for a request to a Key Vault is always as follows, https://vault.azure.net/

We could get the Secret Identifier from you mentioned API. We also could get it from Azure portal.

enter image description here

I test it on my side it works correctly on my side. More details please refer to the screenshot

enter image description here

0
No Refunds No Returns On

FWIW I used a PowerShell script similar to below to get a KeyVault secret value. Great Q and Great A (not mine, those). In case it's not clear the AZ command is part of the Azure CLI.

$keyvaultToken = (az account get-access-token --resource https://vault.azure.net) | ConvertFrom-Json
$headers = @{"Authorization" = "$($keyvaultToken.tokenType) $($keyvaultToken.accessToken)"}
$resp = iwr -uri https://vaultname.vault.azure.net/secrets/secretName/secretVersion?api-version=2016-10-01 -Headers $headers
$json = $resp.Content | ConvertFrom-Json
$json.value