storage_account: Managed storage account

In cloudyr/AzureKeyVault: Key and Secret Management in 'Azure'

Description

This class represents a storage account that Key Vault will manage access to. It provides methods for regenerating keys, and managing shared access signatures (SAS).

This class represents a secret stored in a vault.

Fields

This class provides the following fields:

• id: The internal vault ID of the storage account.

• resourceId: The Azure resource ID of the storage account.

• activeKeyName: The current active storage account key.

• autoRegenerateKey: Whether Key Vault will manage the storage account's key.

• regenerationPeriod: How often the account key is regenerated, in ISO 8601 format.

This class provides the following fields:

• value: The value of the secret.

• id: The ID of the secret.

• kid: If this secret backs a certificate, the ID of the corresponding key.

• managed: Whether this secret's lifetime is managed by Key Vault. TRUE if the secret backs a certificate.

• contentType: The content type of the secret.

Methods

This class provides the following methods:

regenerate_key(key_name)
create_sas_definition(sas_name, sas_template, validity_period, sas_type="account",
                      enabled=TRUE, recovery_level=NULL, ...)
delete_sas_definition(sas_name, confirm=TRUE)
get_sas_definition(sas_name)
list_sas_definitions()
show_sas(sas_name)

update_attributes(attributes=vault_object_attrs(), ...)
remove(confirm=TRUE)

This class provides the following methods:

update_attributes(attributes=vault_object_attrs(), ...)
list_versions()
set_version(version=NULL)
delete(confirm=TRUE)

Arguments

• key_name: For regenerate_key, the name of the access key to regenerate.

• sas_name: The name of a SAS definition.

• sas_template: A string giving the details of the SAS to create. See 'Details' below.

• validity_period: How long the SAS should be valid for.

• sas_type: The type of SAS to generate, either "account" or "service".

• enabled: Whether the SAS definition. is enabled.

• recovery_level: The recovery level of the SAS definition.

• ...: For create_sas_definition, other named arguments to use as tags for a SAS definition. For update_attributes, additional account-specific properties to update. See storage_accounts.

• attributes: For update_attributes, the new attributes for the object, such as the expiry date and activation date. A convenient way to provide this is via the vault_object_attrs helper function.

• confirm: For delete and delete_sas_definition, whether to ask for confirmation before deleting.

• attributes: For update_attributes, the new attributes for the object, such as the expiry date and activation date. A convenient way to provide this is via the vault_object_attrs helper function.

• ...: For update_attributes, additional secret-specific properties to update. See secrets.

• version: For set_version, the version ID or NULL for the current version.

• confirm: For delete, whether to ask for confirmation before deleting the secret.

Details

create_sas_definition creates a new SAS definition from a template. This can be created from the Azure Portal, via the Azure CLI, or in R via the AzureStor package (see examples). get_sas_definition returns a list representing the template definition; show_sas returns the actual SAS.

regenerate_key manually regenerates an access key. Note that if the vault is setup to regenerate keys automatically, you won't usually have to use this method.

Unlike the other objects stored in a key vault, storage accounts are not versioned.

A secret can have multiple versions, which are automatically generated when a secret is created with the same name as an existing secret. By default, the most recent (current) version is used for secret operations; use list_versions and set_version to change the version.

The value is stored as an object of S3 class "secret_value", which has a print method that hides the value to guard against shoulder-surfing. Note that this will not stop a determined attacker; as a general rule, you should minimise assigning secrets or passing them around your R environment. If you want the raw string value itself, eg when passing it to jsonlite::toJSON or other functions which do not accept arbitrary object classes as inputs, use unclass to strip the class attribute first.

Value

For create_sas_definition and get_sas_definition, a list representing the SAS definition. For list_sas_definitions, a list of such lists.

For show_sas, a string containing the SAS.

For list_versions, a data frame containing details of each version.

For set_version, the secret object with the updated version.

See Also

storage_accounts

Azure Key Vault documentation, Azure Key Vault API reference

secrets

Azure Key Vault documentation, Azure Key Vault API reference

Examples

## Not run: 

vault <- key_vault("mykeyvault")

# get the storage account details
library(AzureStor)
res <- AzureRMR::get_azure_login()$
    get_subscription("sub_id")$
    get_resource_group("rgname")$
    get_storage_account("mystorageacct")

stor <- vault$storage$create("mystor", res, "key1")

# Creating a new SAS definition
today <- Sys.time()
sasdef <- res$get_account_sas(expiry=today + 7*24*60*60, services="b", permissions="rw")
stor$create_sas_definition("newsas", sasdef, validity_period="P15D")

stor$show_sas("newsas")


## End(Not run)
## Not run: 

vault <- key_vault("mykeyvault")

vault$secrets$create("mynewsecret", "secret text")
# new version of an existing secret
vault$secrets$create("mynewsecret", "extra secret text"))

secret <- vault$secrets$get("mynewsecret")
vers <- secret$list_versions()
secret$set_version(vers[2])

# printing the value will not show the secret
secret$value  # "<hidden>"


## End(Not run)

cloudyr/AzureKeyVault documentation built on Sept. 19, 2021, 8:49 a.m.