Skip to content

sample7_key_rotation.md

Latest commit

 

History

History
107 lines (72 loc) · 4.05 KB

sample7_key_rotation.md

File metadata and controls

107 lines (72 loc) · 4.05 KB

Creating, updating rotation policy, and rotating keys

This sample demonstrates how to create a key, update the rotation policy of the key, rotate the key in Azure Key Vault. To get started, you'll need a URI to an Azure Key Vault. See the README for links and instructions.

Creating a KeyClient

To create a new KeyClient to create, get, update, or delete keys, you need the endpoint to an Azure Key Vault and credentials.

Key Vault Keys client for C++ currently supports any TokenCredential for authenticating.

In the sample below, you can create a credential by setting the Tenant ID, Client ID and client secret as environment variables.

auto credential = std::make_shared<Azure::Identity::DefaultAzureCredential>();

Then, in the sample below, you can set keyVaultUrl based on an environment variable, configuration setting, or any way that works for your application.

auto const keyVaultUrl = std::getenv("AZURE_KEYVAULT_URL");
...
KeyClient keyClient(keyVaultUrl, credential);

Creating a key

Let's create an EC key. If the key already exists in the Azure Key Vault, then a new version of the key is created.

auto keyName = "RotateKey-" + Azure::Core::Uuid::CreateUuid().ToString();
auto createKeyResponse = keyClient.CreateEcKey(CreateEcKeyOptions(keyName));

std::cout << "Created key " << createKeyResponse.Value.Name() << "with id "
          << createKeyResponse.Value.Id() << " and version "
          << createKeyResponse.Value.Properties.Version << std::endl;

Create the key rotation policy

Next we will define the key rotation policy as needed.

KeyRotationPolicy policy;

LifetimeActionsType lifetimeAction1;
lifetimeAction1.Trigger.TimeBeforeExpiry = "P18M";
lifetimeAction1.Action = LifetimeActionType::Notify;
policy.LifetimeActions.emplace_back(lifetimeAction1);

LifetimeActionsType lifetimeAction2;
lifetimeAction2.Action = LifetimeActionType::Rotate;
lifetimeAction2.Trigger.TimeBeforeExpiry = "P30D";
policy.LifetimeActions.emplace_back(lifetimeAction2);

policy.Attributes.ExpiryTime = "P48M";

Updating key properties

Now we will update the key with the new rotation policy.

auto putPolicy = keyClient.UpdateKeyRotationPolicy(keyName, policy).Value;

std::cout << "Updated rotation policy " << putPolicy.Id << " for key "
          << createKeyResponse.Value.Name() << std::endl;

Calling Rotate and checking the result

Next we will rotate the key and check the result of the api call.

auto originalKey = keyClient.GetKey(keyName);
auto rotatedKey = keyClient.RotateKey(keyName);

std::cout << "Rotated key " << originalKey.Value.Name() << std::endl
          << "Original version " << originalKey.Value.Properties.Version << std::endl
          << "New Version " << rotatedKey.Value.Properties.Version << std::endl;

Deleting a key

The cloud RSA key is no longer needed, so we need to delete it from the Key Vault.

DeleteKeyOperation operation = keyClient.StartDeleteKey(rsaKeyName);

Purging a deleted key

If the Azure Key Vault is soft delete-enabled and you want to permanently delete the key before its ScheduledPurgeDate, the deleted key needs to be purged. Before it can be purged, you need to wait until the key is fully deleted.

// You only need to wait for completion if you want to purge or recover the key.
operation.PollUntilDone(std::chrono::milliseconds(2000));

keyClient.PurgeDeletedKey(rsaKeyName);

Source