Introduction
Azure Key Vault is a cloud service that provides a secure and centralized way to store and manage secrets, keys, and certificates used by applications and services. It helps teams avoid hardcoding sensitive values like API keys, connection strings, or passwords directly into code or configuration files.
In this guide, you will learn how to update and retrieve secrets from Azure Key Vault using the REST API - a useful approach for automation scripts, CI/CD pipelines, and external integrations where using an SDK is not preferred or available.
Prerequisites
- An Azure Key Vault - if you don't already have one, create it from the Azure portal.
- At least one secret inside the Key Vault - click Generate/Import inside the vault to create your first secret.
Enable Azure RBAC on the Key Vault (Required)
- Azure Key Vault supports two permission models: Vault Access Policy (legacy) and Azure RBAC. To use IAM role assignments (like Key Vault Secrets Officer), your Key Vault must have Azure RBAC enabled. Without this, role assignments won't grant access to secrets.
- For a new Key Vault: During creation, go to the Access configuration tab and under Permission model, select Azure role-based access control (RBAC).
For an existing Key Vault:
- Open your Key Vault in the Azure Portal.
- Go to Settings → Access configuration.
- Under the Permission model, select Azure role-based access control.
- Click Save.
Important: If you switch an existing Key Vault from Vault Access Policy to Azure RBAC, all previously configured access policies will stop working. Make sure you reassign equivalent Azure roles before or immediately after switching.
Create an Azure AD App Registration (Required)
- To access Key Vault through the REST API, you must authenticate with an Azure AD application.
Assign API Permissions
- Go to: API Permissions → Add Permission → Azure Key Vault → Delegated Permissions.
- Select:
user_impersonation - Then click Grant Admin consent.
Create a Client Secret
- In the App Registration:
- Go to Certificates & Secrets
- Click New client secret
- Copy the generated secret value (you will need it in API calls)
Copy the Client ID and Tenant ID
- From the Overview page of your App Registration, copy:
- Client ID (Application ID)
- Tenant ID (Directory ID)
Assign IAM Role on the Key Vault
- To allow the App Registration to get or update secrets, assign it one of the following roles:
- Key Vault Secrets Officer OR Key Vault Administrator
- Path: Key Vault → Access control (IAM) → Add Role Assignment
- Select the role and assign it to your App Registration.
Generate an Access Token
- Before calling the Key Vault REST API, you must generate an OAuth 2.0 access token.
- Method: POST
- URL: https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token
- Headers: Content-Type: application/x-www-form-urlencoded
- Body:
client_id={ClientId}&scope=https://vault.azure.net/.default&client_secret={ClientSecret}&grant_type=client_credentials - This returns an access_token used in all Key Vault requests.
Get Secret Value from Azure Key Vault
- Use this API to retrieve a secret.
- Method: GET
- URL: https://{Key_Vault_Name}.vault.azure.net/secrets/{Secret_Name}?api-version=2026-02-01
- Headers: Authorization: Bearer {Access_Token}
- Content-Type: application/json
Set or Update a Secret in Azure Key Vault
- Use the PUT Request to create or update a secret.
- Method: PUT
- URL: https://{Key_Vault_Name}.vault.azure.net/secrets/{Secret_Name}?api-version=2026-02-01
- Headers: Authorization: Bearer {Access_Token}
- Content-Type: application/json
- Body:
{ "value": "{Value}", "tags": { "source": "Postman" }, "contentType": "text/plain" }
Conclusion
With these steps, you can easily authenticate through Azure AD, retrieve secrets, and update values in Azure Key Vault using REST API calls. This approach is beneficial for automation, CI/CD pipelines, and external integrations where SDKs are not preferred.
If you have any questions, you can reach out to our Azure Cloud Consulting team here.
No comments:
Post a Comment