This sample demonstrates how to create a key, update the rotation policy of the key, rotate the key in Azure Key Vault. To get started, you'll need a URI to an Azure Key Vault. See the README for links and instructions.
To create a new KeyClient
to create, get, update, or delete keys, you need the endpoint to an Azure Key Vault and credentials.
Key Vault Keys client for C++ currently supports any TokenCredential
for authenticating.
In the sample below, you can create a credential by setting the Tenant ID, Client ID and client secret as environment variables.
auto credential = std::make_shared<Azure::Identity::DefaultAzureCredential>();
Then, in the sample below, you can set keyVaultUrl
based on an environment variable, configuration setting, or any way that works for your application.
KeyClient keyClient(std::getenv("AZURE_KEYVAULT_URL"), credential);
Let's create an EC key. If the key already exists in the Azure Key Vault, then a new version of the key is created.
auto keyName = "RotateKey-" + Azure::Core::Uuid::CreateUuid().ToString();
auto createKeyResponse = keyClient.CreateEcKey(CreateEcKeyOptions(keyName));
std::cout << "Created key " << createKeyResponse.Value.Name() << "with id "
<< createKeyResponse.Value.Id() << " and version "
<< createKeyResponse.Value.Properties.Version << std::endl;
Next we will define the key rotation policy as needed.
KeyRotationPolicy policy;
LifetimeActionsType lifetimeAction1;
lifetimeAction1.Trigger.TimeBeforeExpiry = "P18M";
lifetimeAction1.Action = LifetimeActionType::Notify;
policy.LifetimeActions.emplace_back(lifetimeAction1);
LifetimeActionsType lifetimeAction2;
lifetimeAction2.Action = LifetimeActionType::Rotate;
lifetimeAction2.Trigger.TimeBeforeExpiry = "P30D";
policy.LifetimeActions.emplace_back(lifetimeAction2);
policy.Attributes.ExpiryTime = "P48M";
Now we will update the key with the new rotation policy.
auto putPolicy = keyClient.UpdateKeyRotationPolicy(keyName, policy).Value;
std::cout << "Updated rotation policy " << putPolicy.Id << " for key "
<< createKeyResponse.Value.Name() << std::endl;
Next we will rotate the key and check the result of the api call.
auto originalKey = keyClient.GetKey(keyName);
auto rotatedKey = keyClient.RotateKey(keyName);
std::cout << "Rotated key " << originalKey.Value.Name() << std::endl
<< "Original version " << originalKey.Value.Properties.Version << std::endl
<< "New Version " << rotatedKey.Value.Properties.Version << std::endl;
The cloud RSA key is no longer needed, so we need to delete it from the Key Vault.
DeleteKeyOperation operation = keyClient.StartDeleteKey(rsaKeyName);
If the Azure Key Vault is soft delete-enabled and you want to permanently delete the key before its ScheduledPurgeDate
,
the deleted key needs to be purged. Before it can be purged, you need to wait until the key is fully deleted.
// You only need to wait for completion if you want to purge or recover the key.
operation.PollUntilDone(std::chrono::milliseconds(2000));
keyClient.PurgeDeletedKey(rsaKeyName);