Azure Key Vault enables Microsoft Azure applications and users to store and use several types of secret/key data:
AzureKeyVault is an R package for working with the Key Vault service. It provides both a client interface, to access the contents of the vault, and a Resource Manager interface for administering the Key Vault itself.
The primary repo for this package is at https://github.com/Azure/AzureKeyVault; please submit issues and PRs there. It is also mirrored at the Cloudyr org at https://github.com/cloudyr/AzureKeyVault. You can install the development version of the package from GitHub:
devtools::install_github("Azure/AzureKeyVault")
AzureKeyVault extends the AzureRMR package to handle key vaults. In addition to creating and deleting vaults, it provides methods to manage access policies for user and service principals.
# create a key vault
rg <- AzureRMR::get_azure_login()$
get_subscription("sub_id")$
get_resource_group("rgname")
kv <- rg$create_key_vault("mykeyvault")
# list current principals (by default includes logged-in user)
kv$list_principals()
# get details for a service principal
svc <- AzureGraph::get_graph_login()$
get_service_principal("app_id")
# give the service principal read-only access to vault keys and secrets
kv$add_principal(svc,
key_permissions=c("get", "list", "backup"),
secret_permissions=c("get", "list", "backup"),
certificate_permissions=NULL,
storage_permissions=NULL)
The client interface is R6-based. To instantiate a new client object, call the key_vault
function. This object includes sub-objects for interacting with keys, secrets, certificates and managed storage accounts.
vault <- key_vault("https://mykeyvault.vault.azure.net")
# can also be done from the ARM resource object
vault <- kv$get_endpoint()
# create a new secret
vault$secrets$create("newsecret", "hidden text")
secret <- vault$secrets$get("newsecret")
# printing the value won't display it; this is to help guard against shoulder-surfing
secret$value
#> <hidden>
# create a new RSA key with 4096-bit key size
vault$keys$create("newkey", type="RSA", rsa_key_size=4096)
# encrypting and decrypting
key <- vault$keys$get("newkey")
plaintext <- "super secret"
ciphertext <- key$encrypt(plaintext)
decrypted_text <- key$decrypt(ciphertext, as_raw=FALSE)
plaintext == decrypted_text
#> [1] TRUE
# create a new self-signed certificate (will also create an associated key and secret)
cert <- vault$certificates$create("newcert",
subject="CN=mydomain.com",
x509=cert_x509_properties(dns_names="mydomain.com"))
# import a certificate from a PFX file
vault$certificates$import("importedcert", "mycert.pfx")
# OAuth authentication using a cert in Key Vault (requires AzureAuth >= 1.0.2)
AzureAuth::get_azure_token("resource_url", "mytenant", "app_id", certificate=cert)
# export the certificate as a PEM file
# (you should only export a cert if absolutely necessary)
cert$export("newcert.pem")
# add a managed storage account
storage_res <- rg$get_resource(type="Microsoft.Storage/storageAccounts", name="mystorage")
stor <- vault$storage$add("mystorage", storage_res, "key1")
# Creating a new SAS definition
sasdef <- "sv=2015-04-05&ss=bqtf&srt=sco&sp=r"
stor$create_sas_definition("newsas", sasdef, validity_period="P30D")
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.