AzureKeyVault/README.md

AzureKeyVault

R interface to Azure Key Vault, a secure service for managing private keys, secrets and certificates.

You can install the development version of the package from GitHub:

devtools::install_github("cloudyr/AzureKeyVault")

Resource Manager interface

AzureKeyVault extends the AzureRMR package to handle key vaults. In addition to creating and deleting vaults, it provides methods to manage access policies for user and service principals.

# create a key vault
rg <- AzureRMR::get_azure_login()$
    get_subscription("sub_id")$
    get_resource_group("rgname")
kv <- rg$create_key_vault("mykeyvault")

# list current principals (by default includes logged-in user)
kv$list_principals()

# get details for a service principal
svc <- AzureGraph::get_graph_login()$
    get_service_principal("app_id")

# give the service principal read-only access to vault keys and secrets
kv$add_principal(svc,
    key_permissions=c("get", "list", "backup"),
    secret_permissions=c("get", "list", "backup"),
    certificate_permissions=NULL,
    storage_permissions=NULL)

Client interface

The client interface is R6-based. To access the vault, instantiate a new object of class key_vault. This object includes sub-objects for interacting with keys, secrets, certificates and managed storage accounts.

vault <- key_vault$new("https://mykeyvault.vault.azure.net")

# can also be done from the ARM resource object
vault <- kv$get_endpoint()


# create a new secret
vault$secrets$create("newsecret", "hidden text")
secret <- vault$secrets$get("newsecret")
secret$value
#> [1] "hidden text"


# create a new RSA key with 4096-bit key size
vault$keys$create("newkey", properties=key_properties(type="RSA", rsa_key_size=4096))

# encrypting and decrypting
key <- vault$keys$get("newkey")
plaintext <- "super secret"
ciphertext <- key$encrypt(plaintext)
decrypted_text <- key$decrypt(ciphertext, as_raw=FALSE)
plaintext == decrypted_text
#> [1] TRUE


# create a new self-signed certificate (will also create an associated key and secret)
cert <- vault$certificates$create("newcert",
    subject="CN=mydomain.com",
    x509=cert_x509_properties(dns_names="mydomain.com"))

# export the certificate as a PEM file
cert$export("newcert.pem")

# import a certificate from a PFX file
vault$certificates$import("importedcert", "mycert.pfx")


# add a managed storage account
stor <- rg$get_resource(type="Microsoft.Storage/storageAccounts", name="mystorage")
vault$storage$add("mystorage", stor, "key1")

---