az_key_vault: Key vault resource class
In cloudyr/AzureKeyVault: Key and Secret Management in 'Azure'
Description
Methods
Initialization
Access policies
Endpoint
See Also
Examples
Description
Class representing a key vault, exposing methods for working with it.
Methods
The following methods are available, in addition to those provided by the AzureRMR::az_resource class:
-
new(...): Initialize a new key vault object. See 'Initialization'.
-
add_principal(principal, ...): Add an access policy for a user or service principal. See 'Access policies' below.
-
get_principal(principal): Retrieve an access policy for a user or service principal.
-
remove_principal(principal): Remove access for a user or service principal.
-
get_endpoint(): Return the vault endpoint. See 'Endpoint' below.
Initialization
Initializing a new object of this class can either retrieve an existing key vault, or create a new vault on the host. The recommended way to initialize an object is via the get_key_vault, create_key_vault or list_key_vaults methods of the az_resource_group class, which handle the details automatically.
Access policies
Client access to a key vault is governed by its access policies, which are set on a per-principal basis. Each principal (user or service) can have different permissions granted, for keys, secrets, certificates, and storage accounts.
To grant access, use the add_principal method. This has signature
1
2
3
4
5
add_principal(principal, tenant = NULL,
key_permissions = "all",
secret_permissions = "all",
certificate_permissions = "all",
storage_permissions = "all")
The principal can be a GUID, an object of class vault_access_policy, or a user, app or service principal object from the AzureGraph package. Note that the app ID of a registered app is not the same as the ID of its service principal.
The tenant must be a GUID; if this is NULL, it will be taken from the tenant of the key vault resource.
Here are the possible permissions for keys, secrets, certificates, and storage accounts. The permission "all" means to grant all permissions.
Keys: "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "decrypt", "encrypt", "unwrapkey", "wrapkey", "verify", "sign", "purge"
Secrets: "get", "list", "set", "delete", "recover", "backup", "restore", "purge"
Certificates: "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "managecontacts", "manageissuers", "getissuers", "listissuers", "setissuers", "deleteissuers", "purge"
Storage accounts: "get", "list", "update", "set", "delete", "recover", "backup", "restore", "regeneratekey", "getsas", "listsas", "setsas", "deletesas", "purge"
To revoke access, use the remove_principal method. To view the current access policy, use get_principal or list_principals.
Endpoint
The client-side interaction with a key vault is via its endpoint, which is usually at the URL https://[vaultname].vault.azure.net. The get_endpoint method returns an R6 object of class key_vault, which represents the endpoint. Authenticating with the endpoint is done via an OAuth token; the necessary credentials are taken from the current Resource Manager client in use, or you can supply your own.
1
2
3
get_endpoint(tenant = self$token$tenant,
app = self$token$client$client_id,
password = self$token$client$client_secret, ...)
To access the key vault independently of Resource Manager (for example if you are a user without admin or owner access to the vault resource), use the key_vault function.
See Also
vault_access_policy, key_vault
create_key_vault, get_key_vault, delete_key_vault,
AzureGraph::get_graph_login, AzureGraph::az_user, AzureGraph::az_app, AzureGraph::az_service_principal
Azure Key Vault documentation,
Azure Key Vault API reference
Examples
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
## Not run:
# recommended way of retrieving a resource: via a resource group object
kv <- resgroup$get_key_vault("mykeyvault")
# list principals that have access to the vault
kv$list_principals()
# grant a user full access (the default)
usr <- AzureGraph::get_graph_login()$
get_user("username@aadtenant.com")
kv$add_principal(usr)
# grant a service principal read access to keys and secrets only
svc <- AzureGraph::get_graph_login()$
get_service_principal(app_id="app_id")
kv$add_principal(svc,
key_permissions=c("get", "list"),
secret_permissions=c("get", "list"),
certificate_permissions=NULL,
storage_permissions=NULL)
# alternatively, supply a vault_access_policy with the listed permissions
pol <- vault_access_policy(svc,
key_permissions=c("get", "list"),
secret_permissions=c("get", "list"),
certificate_permissions=NULL,
storage_permissions=NULL)
kv$add_principal(pol)
# revoke access
kv$remove_access(svc)
# get the endpoint object
vault <- kv$get_endpoint()
## End(Not run)
cloudyr/AzureKeyVault documentation built on Sept. 19, 2021, 8:49 a.m.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Description Methods Initialization Access policies Endpoint See Also Examples
Description
Class representing a key vault, exposing methods for working with it.
Methods
The following methods are available, in addition to those provided by the AzureRMR::az_resource class:
-
new(...): Initialize a new key vault object. See 'Initialization'. -
add_principal(principal, ...): Add an access policy for a user or service principal. See 'Access policies' below. -
get_principal(principal): Retrieve an access policy for a user or service principal. -
remove_principal(principal): Remove access for a user or service principal. -
get_endpoint(): Return the vault endpoint. See 'Endpoint' below.
Initialization
Initializing a new object of this class can either retrieve an existing key vault, or create a new vault on the host. The recommended way to initialize an object is via the get_key_vault, create_key_vault or list_key_vaults methods of the az_resource_group class, which handle the details automatically.
Access policies
Client access to a key vault is governed by its access policies, which are set on a per-principal basis. Each principal (user or service) can have different permissions granted, for keys, secrets, certificates, and storage accounts.
To grant access, use the add_principal method. This has signature
1 2 3 4 5 | add_principal(principal, tenant = NULL,
key_permissions = "all",
secret_permissions = "all",
certificate_permissions = "all",
storage_permissions = "all")
|
The principal can be a GUID, an object of class vault_access_policy, or a user, app or service principal object from the AzureGraph package. Note that the app ID of a registered app is not the same as the ID of its service principal.
The tenant must be a GUID; if this is NULL, it will be taken from the tenant of the key vault resource.
Here are the possible permissions for keys, secrets, certificates, and storage accounts. The permission "all" means to grant all permissions.
Keys: "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "decrypt", "encrypt", "unwrapkey", "wrapkey", "verify", "sign", "purge"
Secrets: "get", "list", "set", "delete", "recover", "backup", "restore", "purge"
Certificates: "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "managecontacts", "manageissuers", "getissuers", "listissuers", "setissuers", "deleteissuers", "purge"
Storage accounts: "get", "list", "update", "set", "delete", "recover", "backup", "restore", "regeneratekey", "getsas", "listsas", "setsas", "deletesas", "purge"
To revoke access, use the remove_principal method. To view the current access policy, use get_principal or list_principals.
Endpoint
The client-side interaction with a key vault is via its endpoint, which is usually at the URL https://[vaultname].vault.azure.net. The get_endpoint method returns an R6 object of class key_vault, which represents the endpoint. Authenticating with the endpoint is done via an OAuth token; the necessary credentials are taken from the current Resource Manager client in use, or you can supply your own.
1 2 3 | get_endpoint(tenant = self$token$tenant,
app = self$token$client$client_id,
password = self$token$client$client_secret, ...)
|
To access the key vault independently of Resource Manager (for example if you are a user without admin or owner access to the vault resource), use the key_vault function.
See Also
vault_access_policy, key_vault create_key_vault, get_key_vault, delete_key_vault, AzureGraph::get_graph_login, AzureGraph::az_user, AzureGraph::az_app, AzureGraph::az_service_principal
Azure Key Vault documentation, Azure Key Vault API reference
Examples
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | ## Not run:
# recommended way of retrieving a resource: via a resource group object
kv <- resgroup$get_key_vault("mykeyvault")
# list principals that have access to the vault
kv$list_principals()
# grant a user full access (the default)
usr <- AzureGraph::get_graph_login()$
get_user("username@aadtenant.com")
kv$add_principal(usr)
# grant a service principal read access to keys and secrets only
svc <- AzureGraph::get_graph_login()$
get_service_principal(app_id="app_id")
kv$add_principal(svc,
key_permissions=c("get", "list"),
secret_permissions=c("get", "list"),
certificate_permissions=NULL,
storage_permissions=NULL)
# alternatively, supply a vault_access_policy with the listed permissions
pol <- vault_access_policy(svc,
key_permissions=c("get", "list"),
secret_permissions=c("get", "list"),
certificate_permissions=NULL,
storage_permissions=NULL)
kv$add_principal(pol)
# revoke access
kv$remove_access(svc)
# get the endpoint object
vault <- kv$get_endpoint()
## End(Not run)
|
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Embedding an R snippet on your website
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.