This sample demonstrates how to create, get, update, and delete a key in Azure Key Vault. To get started, you'll need a URI to an Azure Key Vault. See the README for links and instructions.
To create a new KeyClient
to create, get, update, or delete keys, you need the endpoint to an Azure Key Vault and credentials.
Key Vault Keys client for C++ currently supports the ClientSecretCredential
for authenticating.
In the sample below, you can create a credential by setting the Tenant ID, Client ID and client secret as environment variables.
auto tenantId = std::getenv("AZURE_TENANT_ID");
auto clientId = std::getenv("AZURE_CLIENT_ID");
auto clientSecret = std::getenv("AZURE_CLIENT_SECRET");
auto credential = std::make_shared<Azure::Identity::ClientSecretCredential>(tenantId, clientId, clientSecret);
Then, in the sample below, you can set keyVaultUrl
based on an environment variable, configuration setting, or any way that works for your application.
KeyClient keyClient(std::getenv("AZURE_KEYVAULT_URL"), credential);
Let's create an RSA key valid for 1 year. If the key already exists in the Azure Key Vault, then a new version of the key is created.
auto rsaKey = CreateRsaKeyOptions(rsaKeyName);
rsaKey.KeySize = 2048;
rsaKey.ExpiresOn = std::chrono::system_clock::now() + std::chrono::hours(24 * 365);
keyClient.CreateRsaKey(rsaKey);
Let's get the cloud RSA key from the Azure Key Vault.
KeyVaultKey cloudRsaKey = keyClient.GetKey(rsaKeyName).ExtractValue();
std::cout << "Key is returned with name " << cloudRsaKey.Name() << " and type "
<< KeyType::KeyTypeToString(cloudRsaKey.GetKeyType()) << std::endl;
After one year, the cloud RSA key is still required, so we need to update the expiry time of the key. The update method can be used to update the expiry attribute of the key.
cloudRsaKey.Properties.ExpiresOn
= cloudRsaKey.Properties.ExpiresOn.GetValue() + std::chrono::hours(24 * 365);
KeyVaultKey updatedKey = keyClient.UpdateKeyProperties(cloudRsaKey.Properties).ExtractValue();
std::cout << "Key's updated expiry time is " << updatedKey.Properties.ExpiresOn->ToString()
<< std::endl;
We need the cloud RSA key with bigger key size, so you want to update the key in Azure Key Vault to ensure it has the required size.
Calling CreateRsaKey
on an existing key creates a new version of the key in the Azure Key Vault with the new specified size.
CreateRsaKeyOptions newRsaKey(rsaKeyName);
newRsaKey.KeySize = 4096;
newRsaKey.ExpiresOn = std::chrono::system_clock::now() + std::chrono::hours(24 * 365);
keyClient.CreateRsaKey(newRsaKey);
The cloud RSA key is no longer needed, so we need to delete it from the Key Vault.
DeleteKeyOperation operation = keyClient.StartDeleteKey(rsaKeyName);
If the Azure Key Vault is soft delete-enabled and you want to permanently delete the key before its ScheduledPurgeDate
,
the deleted key needs to be purged. Before it can be purged, you need to wait until the key is fully deleted.
// You only need to wait for completion if you want to purge or recover the key.
operation.PollUntilDone(std::chrono::milliseconds(2000));
keyClient.PurgeDeletedKey(rsaKeyName);